GDPR: data protection principles

Status: Modified

This is a modified concept. The data protection principles have been modified but largely address the same issues considered in the Data Protection Act 1998 (DPA), albeit with some expansion.

Accountability has been introduced as a new concept. This principle requires that controllers are responsible for, and are able to demonstrate compliance with, the data protection principles.

Comparison of DPA and GDPR principles

Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency')

• DPA: Under the DPA the data controller is required to process the data fairly and lawfully. The DPA also requires that the data controller make available to the data subject certain specific information but there is no express obligation to process the data transparently. 
• GDPR: The inclusion of the principle of transparency is a new provision in the GDPR. The DPA does make some provision for the data controller to process data transparently but this concept has now been enshrined as a core principle.  

Data obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ('purpose limitation')

• DPA: The principle in the DPA places similar limitations on processing as those contained in the GDPR principle.  The DPA permits further processing for statistical or historical purposes. 
• GDPR: Largely remains the same as under the DPA.  However, the GDPR also permits further processing for public interest and/or scientific purposes, widening the scope for further processing by controllers.

Data processed is adequate, relevant and limited to what is necessary ('data minimisation')

• DPA: The DPA requires that processing shall not be excessive in relation to the purpose for which the personal data is processed.
• GDPR: The GDPR strengthens this requirement. The GDPR raises the threshold from the controller being limited to processing that is not excessive to only enabling the controller to process data that is necessary. 

Data is accurate and, where necessary, kept up to date ('accuracy')

• DPA: Under the DPA the data held shall be accurate and, where necessary, kept up to date. This is not an absolute and unqualified right and the data controller is only required to take reasonable steps to ensure the accuracy of the data. 
• GDPR: The GDPR requires the same standard as under the DPA. The qualification of 'reasonableness' is now expressly contained within the principle. 

Data not to be kept longer than is necessary for the purpose ('storage limitation')

• DPA: The DPA also requires that data is not held for longer than is necessary but that data held for statistical or historical purposes can be kept indefinitely.
• GDPR: The GDPR follows the DPA but expands on the list of exemptions to this principle. The GDPR permits the storage of data for longer periods than necessary where the data is being processed for archiving purposes in the public interest and/or scientific purposes, this is in addition to the statistical or historical purposes covered in the DPA.  

Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction ('integrity and confidentiality')

• DPA: The DPA covers the same requirement for technical and organisational measures to be put in place to protect against the risks identified in the GDPR principle.
• GDPR: The GDPR principle mirrors the core values contained in the DPA.

What is the impact for organisations?

• The modifications made to the principles will require procedural changes such as revisions to internal policies and audit procedures within organisations to ensure compliance. Ensuring compliance with the principles of the GDPR has become more important in light of the increase in available financial sanctions for breach.
• The requirement for organisations in the UK to notify the Information Commissioner of processing activities has been abolished but the accountability principle ensures that businesses will still need to keep a record of how they comply with their obligations. These record-keeping requirements will, for some businesses, be fairly extensive. This is explored in more detail in our briefing on the accountability principle.
• The criteria for obtaining the data subject’s consent have been strengthened, meaning that controllers may be required to rely on other grounds to satisfy the principle of lawful processing.

What action is required?

• Review personal data held to ensure that it is accurate. Any inaccurate data will need to be erased or corrected.
• Review internal policies and audit procedures, updating these where necessary to ensure that the procedures comply with the GDPR.
• Maintain documentation relating to how data is processed to ensure that the organisation has evidence that it is fulfilling its duties under the GDPR.
• Ensure that appropriate training is provided to ensure that the business is thinking about data protection issues at all levels.
• Consider approved codes of conduct and certification mechanisms which are to be designed by industry or sector specific bodies.

The actions described above will assist in illustrating that a business is compliant with the principles.