With smartphones and social media everywhere, your personal information may be extracted and misused by digital giants within seconds. When you register for an online account on a website, you don't know the company how to store and process your data. You don't even know if they have sold your information to a third party. That is why we need data protection laws.
What is GDPR?
The GDPR provides citizens with more control over their data and forces Internet companies to be more transparent about the use of their data. The GDPR was launched on May 25, 2018, to protect EU citizens and companies from data violations. The GDPR places all 27 member states under the same data protection law. Meanwhile, it also applies to organisations outside the EU as long as they provide goods or services to European companies or individuals.
1. Legality, fairness and transparency
Whenever you process personal data, you should have a good reason to do so. The GDPR refers to this principle as legality. Reasons for processing data may include:
The user has agreed with you to do so.
You must do this to fulfil the contract.
It is necessary to fulfil legal obligations.
To protect the vital interests of the data subject persons.
This is a public task done in the public interest.
For purposes of legitimate interests pursued by the data subject.
The concept of fairness stipulated in the GDPR is closely related to legality. It means that you should not deliberately conceal information about what or why you collect data. In other words, if users know how you use their data, they won't be surprised. Fairness means that you will not mishandle or misuse the data you collect.
Transparency and fairness are inherently linked. You should have a transparent, open and honest statement to data subjects, including information about who you are, why and how you process their data. By following the statement, you will treat your data subject fairly.
2. Purpose limitation
The second principle of the GDPR sets the boundaries for using data only for certain activities. This purpose restriction means that the data is "collected only for specific, clear, and lawful purposes," as described in the GDPR.
The purpose of your data processing must be explicit. And they must also clearly communicate to individuals through privacy notices. Finally, you must pay close attention to them and limit data processing to only for the purpose stated by you.
Suppose you want to use the data you collect for a new purpose inconsistent with your original purpose. In that case, you must again specifically obtain consent unless you have a clear obligation or function as required by law.
3. Data minimization
Collect only the minimum amount of data needed to accomplish the purpose. This is the GDPR principle of data minimization. For example, suppose you want to collect subscribers for your email newsletter. In that case, you should only ask for the information needed to send the newsletter. Avoid collecting personal data not directly related to your purposes, such as phone numbers or home addresses.
You are responsible for ensuring the accuracy of the data collected and stored. Set up checks to correct, update or delete incorrect or incomplete data entered. Regular audits are also required to check the stored data's cleanliness carefully.
5. Storage limits
According to the GDPR, you must prove that the length of time you save each piece of data is reasonable. Establishing a data retention period to meet this storage restriction strategy is good. Create a standard period to delete data that you are not actively using.
6. Integrity and confidentiality
GDPR requires you to maintain the integrity and confidentiality of the collected data and fundamentally guarantee it against internal or external threats. It requires planning and active efforts. You must protect data from unauthorized or illegal processing and accidental loss, destruction or damage.
The GDPR regulator knows that an organization can say that they have complied with all the rules, but they have not actually done so. This is why they need a certain degree of accountability. You must have appropriate measures and records to prove that you comply with data processing principles. The supervisory authority can request such evidence at any time. Documentation is the key here. If you do need to prove responsibility, it creates an audit trail that you and the authorities can follow.