The EU’s General Data Protection Regulation (GDPR) establishes a set of data protection principles to ensure the secure and responsible handling of personal data. These principles are as follows:
1. Lawfulness, fairness, and transparency: GDPR requires that personal data be collected and processed lawfully and in a transparent manner.
It means the organization should process the data of individuals (customers, employees etc) such that it follows the strict rules of GDPR and the ‘what’, ‘why’, ‘how’, ‘where’, ‘who’ of the processing should be visible to the individual whose data is being processed:
- What data is being processed, name, addresses, emails etc
- Why data is needed by the organization; for example, payroll processing, sending deliveries to the address
- How is data collected by the organization; for example include personal interview, online form, social media
- Where the data is processed
- Who the data is shared with.
2. Purpose limitation: GDPR requires that personal data be collected and processed for specified, explicit, and legitimate purposes.
3. Data minimization: GDPR requires that personal data be adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
4. Accuracy: GDPR requires that personal data be accurate and, where necessary, kept up to date.
5. Storage limitation: GDPR requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
6. Integrity and confidentiality: GDPR requires that personal data be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.