Under the GDPR, a data controller must comply with 7 key principals of data protection. These principals are the core values that underpin the European Data Protection Laws. These principals carry many similarities with those found in the Data Protection Act.
Before we get into the principals it is important to understand the definition of a Data Controller:
‘A data controller is the natural or legal person who, alone or jointly with other persons, determines the purpose and means of processing of personal data. The data controller must comply with all obligations set out in the GDPR’
Personal data must be processed lawfully, fairly and in a transparent manner. This means the data controller must:
Personal data must be collected for specific, explicit and legitimate purposes and not be further processed in a manner that is incompatible with these purposes.
Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This means that the categories of personal data processed should be relevant to the purpose.
Personal data must be accurate and up to date. This requires data controllers to put in place policies and procedures for ensuring that personal data is accurate and updated as required.
Personal data must be retained for no longer than is necessary.
Personal data must be processed in a manner that ensures appropriate security and protects against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational security measures.
The data controller must be responsible for, and be able to demonstrate compliance with other principals. This is known as the accountability principle.
A data controller must provide detailed information to data subjects regarding any intended processing of personal data. This information is usually given in a ‘fair processing notice’, or ‘privacy notice’.
Data controllers must have transparent and easily accessible notices and provide information in a concise form, using clear and plain language.
A privacy notice must contain the following:
A data controller must be able to rely on a ‘processing condition’ when processing personal data. This forms the legal basis for the processing.
The processing conditions set out in the GDPR include:
If the processing is of a special category of data, an additional processing condition must also be satisfied. These are different from the processing conditions for personal data and include: