Core Data Protection Principles of UK and EU GDPR

While the introduction of the EU GDPR in May 2018 undoubtedly raised public and corporate awareness of data protection law, it did not represent a radical departure from its predecessor legislation, such as the Data Protection Act 1998 and EU Directive 95/46. At the heart of each is a set of core principles governing data processing. For the UK, these are now set out in Article 5 of the UK GDPR.  

Those key principles recognise the impact that the use of personal data can have on individuals, which can range from the trivial to the profound. In essence, the GDPR requires data to be treated with respect, particularly because of the consequences that flow from its use.  

Seven Core Principles

Article 5 sets out a number of directives as to how personal data must be processed. Each of those is related to a specific principle. 

The seven principles are: 

• Lawfulness, Fairness and Transparency
• Purpose Limitation
• Data Minimisation
• Accuracy 
• Storage Limitation
• Integrity and Confidentiality
• Accountability

Lawfulness, Fairness and Transparency 

The reference to lawfulness requires particular attention to the requirements of Article 6 and Article 9, together with Article 10. These deal with the lawful grounds for processing and the prohibition on processing special category personal data (save where an exemption applies).  

Organizations often rely on their privacy policy (or privacy notice) to discharge their obligation of transparency. It is worth remembering that the privacy notice is not the only tool available: ‘just in time’ information, provided at the point where particular data is collected, may be more effective by being anchored in the specific context. Information can also be provided orally, in animations or through other means.  

Reasonable people may disagree on what the fairness principle requires, which makes this aspect of the requirement challenging to evaluate. If an organization is collecting data, or using it, in a way which would come as a surprise to the data subject then they are likely to face difficulty.  

Moreover, this requirement must be met every time an organization wishes to process data: just because personal data was processed in a fair manner the first time does not mean that further processing of that data for other purposes is exempt from the fairness requirement.  

With organizations increasingly seeking to maximise the use of their data holdings, good records must be maintained of the original and all subsequent processing of that data to ensure that compliance with the fairness requirement can be properly assessed. 

Purpose Limitation 

In a world hungry for data there is often a temptation to collect or store data not for immediate use but because it might be useful in the future for some as-yet unascertained reason.  

The Purpose Limitation principle requires a sharp focus on the question of why data is being collected. The purpose or purposes for which data is collected become the touchstone for deciding what data to collect and determining whether the data is adequate.  

There may be more than one purpose at the outset, but those should be identifiable and predictable throughout the lifecycle of data processing.  

However, this is not cast in stone: it is possible for data to be obtained for one or more original purposes, but then later a further process is identified and applied to that data. For example, prior to the expiry of a retention period the data may become evidence in litigation and may need to be retained for that purpose.  

The Purpose Limitation principle does permit further use of data for purposes that are ‘not incompatible’ with the original purpose for which the data was collected. However, the use for those other purposes must also meet the requirements of the regulation.  

Data Minimisation 

Defining the purpose/s for which personal data will be processed allows organizations to clarify what data they actually need for that purpose. The principle of data minimisation envisages a close alignment between the purpose of processing and the scope of the data collected and processed.  

This approach also mitigates risk. Organizations cannot lose - and cybercriminals cannot steal - data they are not processing.  

Again, this is another ongoing duty. Some data might be necessary throughout the entirety of a process, others only for a small part.

An example might be where a data controller offers a service and eligibility for that service requires an identity check. It will be necessary to process passport or similar information, say, for the purposes of the identity check, but after that point it may no longer be necessary to retain much of that data since the passport number or place of birth are not needed to deliver the service. 

Accuracy 

No data controller would wish to rely on inaccurate data, but the accuracy principle serves to reinforce the importance of data accuracy at the time of collection and during the lifecycle of processing.  

The purpose of processing is also a touchstone for this principle.  If data is processed over a long timeframe, the possibility that it may no longer accurately reflect reality increases. Thus, the principle includes a requirement to proactively ensure accuracy is maintained over time where that is important to the underlying purpose.  

Here, context is key. This principle does not mean that only the most current or up-to-date data can be processed; historical records of previous debt, for example, will still be accurate even if the debt has since been repaid as long as it is clear that it is a historic snapshot.

Similarly, accuracy will not always mean that only one version can be processed: in some cases, accuracy requires that where information is disputed that all interpretations are set out clearly in context.  

Storage Limitation 

Determining appropriate retention periods is an important task for data controllers.

As the recent UK Windrush scandal illustrated, premature destruction of personal data can have significant consequences for data subjects. Equally, retaining personal data after the purpose for which it was collected has been served impinges on the rights of the data subjects and serves to accumulate unnecessary risk for the controller.  

The storage limitation principle does not mandate destruction of data; anonymisation of data is an acceptable alternative. Anonymisation must be genuine and effectively render the individual unidentifiable rather than merely unlikely to be identified (pseudonymisaton). How data is structured impacts the feasibility of anonymisation.  

When determining the data retention period, it is important to bear in mind that there are many scenarios where the purpose of processing is multidimensional and the dominant purpose changes over time.

This is often the case in the context of professional services.  For example, the collation of clinical records serves multiple purposes from the outset such as facilitating patient care and securing regulatory accountability, but over time the relative importance of those purposes is likely to change.  

Integrity and Confidentiality 

Integrity and confidentiality are two elements of the security triad, alongside availability. While obligations of confidentiality have long been recognised at common law, the UK GDPR applies a requirement of confidentiality to all personal data processed within the scope of the regulation.  

The collective effect of the principles is that where personal data is processed that must be for a purpose. Given the requirements of Article 6 that purpose must be of some importance (and even more so under Articles 9 and 10 for special category data). The requirement that the data be protected from corruption is not surprising.  

Accountability 

The establishment of an express obligation of accountability was one of the key changes introduced by the EU GDPR. It professionalises all processing of personal data in the sense that data controllers must be accountable for the way in which they process data.