Getty Images/iStockphoto
7 principles of the GDPR explained
The GDPR's seven data protection principles on the lawful processing of data are directly influencing the way businesses collect, store, erase and monetize personal information.
The General Data Protection Regulation's Article 5 describes seven data protection principles for the lawful processing of personal data. Although the GDPR is often framed as the "right to be forgotten" regulation, the data protection principles contained in Article 5 provide information relating to the processes, practices and skills businesses need to cultivate a data protection environment and demonstrate compliance.
Companies that break the law are liable for fines up to €20 million ($21.7 million) or 4% of worldwide revenues. The GDPR Enforcement Tracker provides the best data on GDPR actions, said Rupert Brown, CTO at continuous compliance platform provider Evidology Systems. It highlights the inconsistencies of fines imposed between the regulatory bodies across the EU and U.K.
The Enforcement Tracker, according to Brown, doesn't use consistent classification taxonomies to designate the root causes of each fine, but it does provide some insights into what kinds of violations regulators have been focusing their attention regarding the GDPR's seven principles. The category hit with the largest sum of fines thus far has been "non-compliance with general data processing principles" at €2.08 billion ($2.25 billion), while the highest number of fines (629) has been levied for an "insufficient legal basis for data processing." The lowest sum of fines has been for "insufficient involvement of data protection officer" at €955,300 ($1.04 million), and only 11 fines have been levied for "insufficient data processing agreement." Notably, at just €3.02 million ($3.27 million) and 41 fines, "insufficient fulfillment of data breach notification obligations" is near the low end of the 10 penalized categories listed.
Since the GDPR's enactment six years ago, the seven principles on the lawful processing of data contained in Article 5 have shaped the data protection practices of enterprises doing business in the EU. Lawful processing includes the collection, organization, structuring, storage, alteration, restriction, erasure or destruction of personal data.
1. Lawfulness, fairness and transparency
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject ["the identified or identifiable living individual to whom personal data relates" as defined by the U.K.'s Information Commissioner's Office (ICO)].
"The highest-profile fines are not for data breaches but for unlawful processing, collection on minors, opaque opt-out policies and lack of transparency," reported Padraic O'Reilly, founder and chief innovation officer at cyber-risk management platform provider CyberSaint. This principle changes how enterprises should approach consumer data and implement their data protection policies.
"In industry circles, consumer data is often compared to plutonium -- powerful and valuable but terribly dangerous to the handler if abused," said Mike Pedrick, vice president of cybersecurity consulting at managed security services provider Nuspire. The transparency aspect of the principle also conflicts with the practice of monetizing data and using data to train AI and machine learning models. Pedrick believes many U.S.-based companies will work with their legal counsels to implement policies that satisfy the legal standard of transparency, while protecting an enterprise's ability to conduct business.
Data protection laws, including the GDPR, tend to overreach initially, said Don Pecha, chief information security officer at managed IT services provider FNTS. As a result, businesses within the jurisdiction of these laws incur additional expenses in planning, training and education. "Transparency and fairness are principles behind these laws," Pecha explained, "but they are still not very visible to the consumer, who never sees a dime if their privacy was violated."
2. Purpose limitation
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.
IT managers need to clarify their purpose and why it's considered legitimate by regulators. "A phrase I have probably never used prior to the introduction of the GDPR, but I use regularly now, is 'if challenged,'" said Donnie MacColl, senior director of technical support at cybersecurity platform provider Fortra. He pointed to questions raised by regulatory authorities, including the following:
- What personal data does the company use?
- What legal basis does the company use?
- How transparent is the company with individuals about the use of their personal data?
- How easy is it for individuals to request a copy of or delete their data?
- How can individuals amend their data if they feel it is incorrect?
"If I am challenged," MacColl said, "I need to be able to promptly and confidently show that all personal data being used complies with the GDPR. This is a laborious, continuous task but very relevant and worthwhile as it also means I can be confident that whoever processes my personal data also has to comply and keep it secure."
The rise of AI has raised new issues about companies using personal data, added Martin Davies, audit alliance manager at compliance automation platform provider Drata. "While the GDPR's principles can still be broadly understood and applied in the context of AI," he explained, "the scenarios under which personal data can be used legitimately within training sets will likely need further clarification."
If a data subject's personal data has been used to train an AI model, that information forms part of the model's parameters and decision-making. At that stage, how can the data subjects exercise their right to erasure? "These are the kinds of questions that naturally arise and would benefit from regulatory clarity," Davies reasoned.
The purpose limitation principle could also fuel tensions internally within companies. "GDPR has balkanized information transfer around organizations and increased existing political tensions between departments as they hide behind the regulations' somewhat abstract data transfer requirements and slow down information sharing," Evidology's Brown said.
3. Data minimization
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
"The data minimization principle introduced in GDPR was the first time that any web form or information-gathering process was required to identify the minimum amount of personal data needed to fulfill a specific purpose," noted Kris Lahiri, co-founder and chief security officer at cloud content governance provider Egnyte. It was common practice in the past for organizations to promote a culture of "data maximalism" and collect as much information as possible about an individual even if there was no specific need for that information. Retailers, for example, had been known to collect information on the marital status or income levels of customers as part of their loyalty programs.
Businesses are seeking a new middle ground, Davies said. "While GDPR does not explicitly prohibit the collection of this data," he explained, "businesses will need to obtain explicit consent and provide an explicit rationale as to why these additional data points are relevant."
The data minimization principle has been a game-changer, added Troy Batterberry, CEO and co-founder of digital watermarking software provider EchoMark. "Generally, businesses realized that storing vast amounts of unnecessary customer data 'just in case' had more drawbacks than benefits, especially with the occurrence of data breaches increasing every year," he said. Streamlining data processes and collecting only what is necessary for specific stated purposes reduces storage costs and minimizes data leaks in the event of a breach.
Not everyone agrees that the data minimization concept is reducing data-gathering efforts. "Businesses are certainly not minimizing the data they acquire," Pecha argued. "We see storage go up as it is cheaper than ever to store data in the cloud. What you may see is a company decrease business in a certain state if that requirement creates a bar to the business."
4. Accuracy
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
"Personal data accuracy is so important," MacColl said, "and one of the rights persons inherit from the GDPR is the right to rectification to have incorrect personal data corrected." While waiting for rectification, they can also exercise the right to restrict processing whereby data can be stored but not processed.
The U.K.'s ICO, for example, reprimanded the West Midlands Police for repeatedly mixing up the data of two victims of crime who had the same name and birth date. The mix-up led to inaccurate personal information processed, resulting in officers going to the wrong home address as well as visiting the school of the wrong person's child. The ICO identified a lack of data protection training for the police force's frontline employees for their failure to discover and rectify these mistakes.
5. Storage limitation
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject.
The concept of the "right to erasure" comes into play under the GDPR's storage limitation principle. A company that collects a data subject's information is only permitted to retain that information as long as necessary for the purposes it's being used. "There is no concrete definition of the 'correct' amount of time that the data can be used," Davies said, "so businesses are now required to interpret this themselves and implement measures to ensure data is disposed of or anonymized after the retention timeframe."
British Airways was fined €20 million ($27.7 million) by the ICO in 2021 for failing to protect the personal and financial details of 420,000 staff and customers in a 2018 data breach. Attackers accessed names and payment card information that had been retained for longer than necessary, which Davies cited as a prime example of why storage limitation is an important principle.
"Businesses will learn how to comply with data privacy while retaining and increasing the data they acquire and use as they grow," said Pecha, who sees data storage going up, not down, across industries since data drives business in spite of storage limitations.
6. Integrity and confidentiality
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
"This [principle] alone made security a more significant priority for businesses if it wasn't one, as they need [education] to ensure that the proper security procedures were in place to process, store and manage their data," surmised Egnyte's Lahiri, who reported that businesses spent about 15% more for security in 2023 compared to the previous year. The expectation is that security expenditures will also increase this year as the GDPR has paved the way for more data privacy regulations worldwide. Companies are building their technology stack to ensure they have the proper foundation to meet the principles and requirements required by regulations such as the GDPR.
Addressing generative AI concerns over data integrity and confidentiality, Pecha said the biggest challenge is maintaining proper governance. "This means that company executives are validly concerned their companies are putting data into these AI tools without oversight and possibly violating privacy laws," he explained. "That data is no longer confidential, as we have learned that the same data residing in the AI can be discovered by other individuals using that same AI."
7. Accountability
The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the first six principles].
The accountability principle enables data subjects to request what information businesses are storing on them. It also gives them the power to take control of their data, such as asking for the right to be forgotten. "Until GDPR, organizations did not take this right as seriously as it should have been," Lahiri acknowledged. Individuals now have the right to obtain a copy of their personal data and other supplementary information through a subject access request that businesses typically must respond to in 30 days.
Holding organizations accountable for the information they store has prompted larger companies to adopt a more structured approach to data protection, EchoMark's Batterberry said. He recommended that companies implement clear internal policies, conduct regular data protection impact assessments and audits, and appoint a dedicated party responsible for ensuring compliance with regulations.
Enterprises should also create written AI governance statements to ensure accountability, Pecha added. "Companies must take strong stances and manage AI use," he advised, "if they hope to have any accountability."
George Lawton is a journalist based in London. Over the last 30 years, he has written more than 3,000 stories about computers, communications, knowledge management, business, health and other areas that interest him.