Understanding the principles for processing personal data is vital to achieving compliance with different privacy and data protection regulations as the principles set the foundations that organisations should consider when processing personal data.

One of the first data protection instruments to address some privacy and data protection principles was developed by the Organisation for Economic Co-operation and Development (OECD) and the Council of Europe in 1980: The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

These Guidelines set the basic rules that governed transborder data flows and the protection of privacy and personal data to facilitate the harmonisation of data protection laws. Among its principles on the processing of personal data are collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation (data subject rights) and accountability.

All those principles were reflected in the General Data Protection Regulation (GDPR), which established seven principles that organisations should follow when processing personal data, presented below:

Organisations must process personal data lawfully, fairly and in a transparent manner in relation to the data subject (the individual whose data is being processed). This means that the activity performed by the organisation must be legitimised under a legal basis defined by the GDPR (art. 6 and 9) and cannot violate any law that applies to the context of the processing.

Moreover, the processing should be fair, which means that personal data cannot be processed when the data subjects would not reasonably expect this processing to happen, and when the processing may result in unjustified adverse effects on them.

Finally, personal data must be processed transparently in relation to the data subject. Therefore, the organisation must provide data subjects with sufficient information about the processing of their personal data such as the personal data that is being processed and the purposes of the processing in an accessible way, using clear and plain language. The information that needs to be presented to the data subjects are highlighted in articles 12 to 14 of the GDPR.

Personal data must be collected for specified, explicit and legitimate purposes and cannot be further processed in a non-compatible way with those initial purposes. Therefore, organisations can only process personal data for a specific and legitimate reason.

The data minimisation principle establishes that the personal data that is being processed for a specific purpose by an organisation should be adequate, relevant and limited to what is strictly necessary in relation to its purpose.

Therefore, organisations should process only the personal data that are proportionate and necessary to achieve the specific purpose initially defined, avoiding processing data that is irrelevant to achieve the purpose of the processing.

Personal data must be accurate and kept up to date. This means that organisations need to ensure that the personal data processed is accurate. To ensure this organisations should establish an internal mechanism to monitor, erase or rectify inaccurate personal data when necessary. This principle is directly linked to the right to rectification presented in article 16 of the GDPR.

Personal data should be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed, according to the storage limitation principle. This means that once personal data is no longer needed, it must be securely deleted.

Controllers must set retention periods for personal data, considering its processing purposes, and internal mechanisms to delete the data when the storage period expires. The GDPR allows the storage of personal data for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific, historical research or statistical purposes.

Organisations must ensure that appropriate security measures, both technical and organisational, are in place to protect personal data and prevent data breaches.

The GDPR does not define the security measures that must be in place to prevent the breach of confidentiality, integrity, and availability of personal data. Therefore, controllers and processors should consider the level of risk a processing activity involves to the rights and freedoms of the data subjects. Based on the risk, organisations should adopt adequate security measures to secure the personal data accordingly.

Organisations shall be able to demonstrate compliance with the GDPR requirements. Therefore, all the measures adopted by the organisation to comply with the GDPR should always be recorded e.g., keeping records of data protection impact assessments and legitimate interest assessments, internal policies and procedures such as the privacy policy and the data breach response plan, records of processing activities, training and awareness evidence, etc.

It is important to note that accountability obligations are ongoing, which means that organisations must review the adopted measures regularly and update them when necessary.

These principles are the base of the GDPR obligations for controllers and processors. As mentioned by the Information Commissioner´s Officer (ICO), the principles “don’t give hard and fast rules, but rather embody the spirit of the general data protection regime”. Therefore, keeping the principles in mind and implementing it within the organisation’s processing operations is to be considered a good practice for GDPR compliance.

Have you implemented those principles in the processing of personal data within your organisation.