The General Data Protection Regulation is – by far – the biggest change in European data protection law in 20 years and a major change in focus towards the rights of the data subject. The GDPR is quite a long legal text and certainly not ‘easy reading’.
The six principles regarding processing of personal data defined in it, however, are remarkably simple:
Lawfulness, Fairness, and Transparency
First of all, the GDPR dictates that you should have a legitimate reason to process a person’s personal data. Only if that is the case, can you proceed to inform the data subject of which personal data you intend to gather, exactly what purpose you want to use it for, and for how long.
Then, after you have collected personal data for the specified, explicit and legitimate purposes you notified the data subject of, you cannot reconsider. The ‘on second thought, now that we have this data we can also …’ avenue is not permitted. There is some wiggle room when it comes to data for archiving purposes and scientific research in the public interest. But, in principle, the purposes are limited to what you initially notified the data subject of.
Given that limitation, one could have the idea to ask for just a little more information than is strictly necessary. Just from the point of view that ‘you never know what might come in handy’. The GDPR, however, closes that road too. Data processing shall be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’. And, if there is a way to reach your goals using less personal data, or none at all, that should be your first choice.
Whilst processing personal data, the data must be kept accurate and up to date. Every reasonable effort should be taken to ensure that personal data which is inaccurate is rectified or deleted. That, in itself, is a very good reason not to keep personal data any longer than strictly necessary: keeping data secure and up-to-date is very expensive.
This principle dictates that data should not be traceable to an individual person any longer than necessary. As an example, you can think of a local government that must determine how many car parking spaces are needed in the city center. They could find out by monitoring the license plates of cars entering and leaving the center every day for a period of time. Unfortunately, a license plate is personal data because it can be traced to a specific person (the owner). As soon as a particular car has left the area, however, the license plate information is no longer needed and can be deleted. The system only needs to remember at what time the car in question passed through the center on a given day and how long it stayed before leaving the area.
Integrity and Confidentiality
When processing personal data in any way (even ‘only saving it’), appropriate security measures must be implemented. This includes protection against unauthorized or unlawful processing as well as against accidental loss, destruction, or damage. Technical solutions an organization might implement such as encryption, redundancy and back-up facilities, security testing and audits can help to meet these requirements.
 See GDPR article 5.
This article has been written by guest author Leo Besemer.