The General Data Protection Regulation (GDPR) deals with data protection and processing at the European Union level. Organisations must demonstrate their compliance with the provisions of the GDPR. GDPR compliance helps the data subjects to quickly assess the level of data protection provided by an organisation.
Articles 42 and 43 of GDPR cover data protection certification and allow organisations to showcase and account for the compliance measures. Organisations can enhance and go beyond what is required in the GDPR. When organisations obtain a certification, it is considered that it has the necessary safeguards in place for the processing of personal data.
The GDPR differentiates between the data controller, data processor and data protection officers (DPO).
- The Data Controller is a natural or legal person (organisation or a non-profit organisation), agency, public authority or any other body which purposes and conditions the processing of personal data.
- The data controller owns the data and sets rules on how it can be collected and processed. The data controller keeps a record of the processing activities and can designate Data Processors who can collect and process the data in the name of the data controller.
- The Data Protection Officer (DPO) is responsible for ensuring the organisation is processing the personal data in compliance with the GDPR rules.
7 Guiding principles of GDPR
1. Lawfulness, transparency and fairness
The organisations need to provide the legal reason as to why they need to collect data. The several options provided by the GDPR are legitimate interests, public interest and interest based on consent.
The organisations have to be transparent regarding which data is collected, for whom it is collected, for what purpose it is collected and how long it will be kept. This information has to be provided clearly and in easy-to-understand language.
The data should be handled in a way that people expect to be reasonable; this fairness principle has to be followed. It includes how the data has been collected. If the data has been obtained by deceiving someone, then the data controller is in breach of the fairness principle.
2. Purpose limitation
Personal data should be collected for explicit, specific and legitimate purposes. The data cannot be processed in a way that is incompatible with those purposes. For collecting the data, at least one of the purposes mentioned has to be fulfilled to start processing the data.
In some cases, the data can be processed for new purposes if they are compatible with the original purpose. For example, purposes like scientific, archiving in public interest, historical research and statistical. The consent of the data controller for the new purpose is required. Data can be processed if there is a new legal provision that requires processing and allows it in the public interest.
3. Data minimisation
Identify the minimum amount of personal data that is required for processing before collecting it. Personal data should be relevant, sufficient and limited to what is necessary. The data should be limited to fulfill the purposes for which it is processed.
4. Accuracy
The data should be accurate and kept up to date. The data controller should ensure that the data is accurate. If the data is incorrect, inaccurate or misleading, then it should be rectified without delay or deleted.
In some cases, the data controller can rely on the data subjects, like when the address in the database needs to be updated.
5. Storage limitation
The data should be stored for a specific period of time and not any longer than required. If the purpose of keeping the data is no longer valid or is outdated, then it should be deleted or anonymised. This will prevent the data from becoming irrelevant, excessive, inaccurate and out of date. It will also encourage the data controllers to set retention limits and policies.
6. Integrity and confidentiality
The right measures should be taken to ensure the security of the data. The personal data should be kept secure. The data should be protected against unauthorised and unofficial processing, accidental loss, damage and destruction.
7. Accountability
The data controller is responsible and accountable for compliance with the GDPR. The data controller should take required measures, such as implementing a privacy management framework.
The GDPR has set up guidelines for how the data can be collected and on what legal basis it can be processed. An organisation’s GDPR compliance & certification allows quicker and precise assessments, helps to understand the level of data protection of its products and services and enhances the transparency for data subjects and business-to-business relations.
