Table of Contents
Running a company means you will inevitably receive and store important personal information. As such, your business must be aware of the principles regarding recording, storing and deleting this data. The General Data Protection Regulation (GDPR) provides organisations with data protection rules in England. This article will explain the seven guiding principles that underpin the GDPR to ensure your company is aware of its data protection requirements. Accordingly, your business can avoid unintentional breaches and subsequent fines.
Why is it Important to Comply With the GDPR?
The Information Commissioner’s Office (ICO) can investigate any business suspected of breaching the GDPR. The ICO focuses on business behaviour and will issue fines to non-complying businesses to deter other organisations from breaking data protection rules.
1. Integrity and Confidentiality (Security of Data)
Your business must keep information safe and secure. To illustrate, some of the ICO’s largest fines (between £15m – £20m) relate to companies having inadequate security arrangements to guard against the theft of sensitive information. For example, you can minimise the risk of information theft by implementing a sound security system and anti-virus software and encrypting sensitive data.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
2. Accountability
Your company is responsible for any breach of data protection rules. Even unintentional breaches may lead to ICO fines. Accordingly, it is essential your company can demonstrate that it takes all possible steps to protect personal information.
3. Purpose Limitation
A business should only use personal information for the exact reason given for collection. This means that your company cannot obtain information from individuals for the stated reason of sending an electronic newsletter and then use it for a secondary purpose, such as cold calling individuals on their mobile.
4. Accuracy
The ICO believes it is vital that all data remains accurate. Therefore, your company should update its information rather than retain old, inaccurate information. For instance, you can implement policies for staff to notify you of any change of address and re-confirming details with customers upon each purchase.
5. Data Minimisation
The GDPR advises that your company should only collect as much information as it needs. So, for example, if your business only needs a customer’s card details, full name and home address for online purchases, it should not ask for their date of birth or national insurance number.
6. Storage Limitation
Retaining information longer than necessary is a breach of data protection rules. So, if a customer provides card details for online purchases but has not ordered anything for three years, you should delete any card records on file. This also applies to employee records, which the business should destroy a certain period after the employee’s departure.
7. Lawfulness, Fairness and Transparency
While all seven principles are technically equal, lawfulness, fairness and transparency are essential to your business.
In summary, this principle involves your organisation:
- only using the information in line with the GDPR rules;
- acting transparently concerning the reasons for data collection and intended use;
- dealing with requests from data subjects (the people you collect data from) () fairly and reasonably;
- guarding against accidental loss of data and acting in the public interest; and
- reporting any data breach to the ICO within 72 hours. This includes any cyber-attacks against your company.
Key Takeaways
Overall, the seven principles of the GDPR encourage your company to handle and store personal data safely and be honest with individuals about the purpose of any data collection. Furthermore, it is essential to have appropriate security over digital and physical information, as any data theft due to inadequate protection may lead to an ICO fine.
If you need help with data protection principles and the safe processing of data, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Physical data security focuses on securing the premises and keeping sensitive information in locked cabinets or secure rooms. In contrast, electronic security focuses on having strong passwords, anti-virus software and firewalls.
If the information is on paper, your business can destroy data by shredding documents and using a reputable rubbish disposal company. If you wish to delete digital information, you should use specialist deletion software that ensures someone cannot recover it. You should also delete any backup data on your IT system.
We appreciate your feedback – your submission has been successfully received.