There are seven general principles set out in GDPR article 5.
Personal data related to a data subject should be processed lawfully, fairly, and in a transparent manner. To achieve this goal, one needs to have a thorough understanding of the GDPR regulations.
Personal data should be collected for a specific, explicit, and legitimate purpose.
Any personal data collected should be adequate and limited to what’s necessary for the purposes for which they are processed. By following this principle, two key benefits are achieved: 1) Potential damage is minimized in the event of a data breach, and 2) The amount of data that needs to be maintained to stay accurate is limited.
Maintaining the accuracy of personal data is essential to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
Personal data that allows identification of the data subject shall be kept only as long as necessary to fulfill the processing purpose. This will normally be the period of a business relationship.
It’s important to note that such personal data may be stored longer as long as it will only be processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. Check GDPR article 89 for further details.
Personal data shall be processed in a way that ensures appropriate security (protection against unauthorized or unlawful processing, loss, destruction, or damage of the data), which requires suitable technical and/or organizational measures.
GDPR does not state specific requirements due to the constant evolution of technology and best practices. Current standards involve data encryption and pseudonymization where possible.
The data controller shall be responsible for and be able to demonstrate compliance with the above six principles.
Last updated
Was this helpful?
Was this helpful?
