The UK’s General Data Protection Regulation (UK GDPR DPA 2018) protects the personal data of those living within the United Kingdom. The seven principles of UK GDPR lie at the centre of this regulation.
The GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
These principles are the backbone of UK GDPR legislation and should form the foundation of your approach to processing personal data.
1 Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully, fairly, and transparently:
- Lawfully: The methods used to obtain personal data are per the law,
- Fairly: Personal data is processed in a way consistent with how it was described to the data subject,
- Transparently: Data subjects must be fully informed about what and why data is being collected and how long it will be kept.
2 Purpose Limitation
The personal data obtained must be limited to what the data subject consented to. Data controllers must not collect data; they do not need to perform their processing duties.
Example: If you receive permission to do a criminal record check on a potential employee, you may not conduct a background check.
3 Data Minimisation
The collection of personal data should be relevant and limited to what is needed for a company to fulfil its service.
Example: Your workplace does not need information on your credit history, but requires your banking details to pay your salary.
4 Accuracy
Records of personal data should be accurate and up-to-date, and inaccurate data must be corrected or deleted.
Example: If a data subject changes its name, that information must be updated.
5 Storage Limitation
Personal data should not be stored for longer than necessary.
Example: When an employee leaves a company, all information not required for legal purposes (such as tax records) must be deleted.
6 Integrity and Confidentiality
Appropriate security measures must be in place to prevent “unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures,”.
This usually entails access control, encryption, and anonymised personal data.
7 Accountability
Organisations must confirm and prove they’re compliant with GDPR.
Adhering to the accountability principle can include:
- Carrying out data privacy assessments to determine your compliance and risks, such as a DPIA.
- Creating and documenting a data map.
- Keep a record that shows your GDPR compliance to regulators.
8 Principle-Led Privacy
The principles of UK GDPR are laid out in Article 5 and form the basis of what follows. Like all principles, they are guides rather than instructions.
A principle-led data processing procedure not only builds a sound foundation for UK GDPR compliance but also sets your organisation up for international compliance legislation.
Formiti offers international data privacy services using ten core disciplines for this reason. If you’d like to know more about our international global data privacy assessment platform (Formiti360) or any of our other services, contact us on +44 121 582 0192 or [email protected].