The EU’s General Data Protection Regulation (GDPR) protects the personal data of those living within the European Economic Area (EEA). The GDPR principles lie at the core of this regulation. The GDPR sets out seven fundamental principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Lawfulness, Fairness, and Transparency
This principle applies to how personal data is processed. The methods used to obtain personal data must be lawful. Personal data should be processed in a way consistent with how it was described to the data subject. Thirdly, data subjects must be fully informed about what and why data is being collected and how long it will be kept.
Purpose Limitation
The personal data collected must be limited to what the data subject has consented to. Data controllers must not collect data not needed to perform their processing duties.
Data Minimization
Personal data collection should be relevant and limited to what is needed for an organization to fulfill its service.
Accuracy
Personal data records should be accurate and up-to-date. Inaccurate data must be corrected or deleted.
Storage Limitation
Personal data should not be stored for longer than legally necessary.
Integrity and Confidentiality
Appropriate security measures must be in place to prevent unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures.
Accountability
Organizations must confirm and demonstrate compliance with GDPR. Adhering to the accountability principle can include:
- Keeping records that show your GDPR compliance to regulators,
- Performing data privacy assessments to determine compliance and risks, such as a Data Privacy Impact Assessment (DPIA), or
- Documenting a data map.