How-to guide: How to comply with data processing principles under the GDPR (EU)

Introduction

This how-to guide provides guidance to in-house counsel and private practitioners about the seven key principles set out in article 5 of Regulation (EU) 2016/679 – General Data Protection Regulation (EU GDPR). This guide can also provide assistance when advising internal or external clients on data processing principles.

This checklist is EU-focused and reflects the requirements of the EU GDPR and covers:

general requirements under the EU GDPR; and
the European Data Protection Board (EDPB) and, where relevant, EU member states’ supervisory authorities’ interpretation of such EU GDPR requirements.

In this guide, references to the ‘EU GDPR’ do not cover any local European Economic Area (EEA) data protection law requirements or interpretation of the EU GDPR by EEA data protection regulators.

This checklist does not address UK specific data protection law requirements. However, it should be noted that the UK retained the EU GDPR in domestic law after Brexit (commonly referred to as the ‘UK GDPR’) with necessary changes to accommodate domestic areas of UK law. Therefore, insofar as the supervisory authority of the UK (the Information Commissioner’s Office (‘ICO’)) has published guidelines specific to the EU GDPR (prior to Brexit) and the UK GDPR (after Brexit), such guidelines can assist when providing a helpful overview of the subject matter of this guide.

This guide covers the following:

Lawfulness, fairness and transparency principle
Purpose limitation principle
Data minimisation principle
Accuracy principle
Storage limitation principle
Integrity and confidentiality (security) principle
Accountability principle
Enforcement action that organisations can face if they do not comply with the data protection principles

This how-to guide explains how organisations can address compliance with the data processing principles. It can be used in conjunction with How-to guide: How to ensure compliance with the GDPR and Checklist: Lawful processing of personal data under the GDPR.

In this guide, we refer to the organisation processing personal data as the ‘data controller’ or ‘controller’ and the party whose data is being processed as the ‘data subject’ or ‘individual.’ Other relevant key definitions such as ‘processor’, ‘personal data’ and ‘processing’ are further explained in the How-to guide: Understanding key data protection definitions.

Section 1 – Lawfulness, fairness, and transparency

1.1 What is lawfulness?

The controller is required to demonstrate a ‘lawful basis’ for processing personal data. There are six lawful bases which the controller may rely on, and these are set out in article 6, EU GDPR and are as follows:

consent;
performance of contract;
performance of a legal obligation;
protection of vital interests;
public task; and
legitimate interests.

The processing needs to fall within one of the six lawful bases for it to be lawful (in addition to meeting a condition for processing special categories of personal data, if that type of data is being processed).

Article 5(1), EU GDPR, requires the controller to identify a lawful basis before initiating the processing of personal data and if no lawful basis is applicable for such processing, the controller may not proceed with the processing as it would be in breach of the EU GDPR.

See How-to guide: How to ensure compliance with the GDPR and Checklist: Lawful processing of personal data under the GDPR for more information on each of the lawful bases.

1.2 What is fairness?

Controllers need to make sure that the processing of personal data is fair as well as lawful. A ‘fair’ processing activity is one where:

personal data is used in a way that people would reasonably expect; and
personal data is not used in ways that have unjustified adverse effects on the data subject.

However, a processing activity can also be fair even if it is used in a way that negatively impacts the individual – they just cannot generally be deceived or misled when the personal data is obtained. For example, if police stop an individual as part of a clearly marked random breath testing, their personal data will be collected in the form of their driving licence details and a blood alcohol reading. The processing activity may be detrimental to the data subject if they are subsequently found to be over the legal limit, but this will not be unfair from a data protection standpoint.

1.3 What is transparency?

The transparency requirement is linked to the data subject’s right to be informed about the collection and use of their personal data. Controllers need to make sure that all information relating to the processing activity is presented to the data subject in a clear and concise way. This is typically done in a privacy notice.

Articles 13 and 14, EU GDPR, set out the transparency information that needs to be provided to data subjects – there are some slight differences in content depending on whether the personal data is obtained directly from the data subject or from a different source. If the personal data is obtained directly from the data subject, controllers must provide the transparency information at the time the data is obtained. However, if the personal data is obtained from a different source, the controller needs to provide the individual with the transparency information:

within a reasonable period (but up to a maximum of one month) of obtaining the personal data;
when the first communication takes place, at the latest, if the personal data is used to communicate with the individual; or
when the data is disclosed, at the latest, if the data will be shared with a third party.

Controllers must make sure that the transparency information provided is:

concise;
transparent;
intelligible;
easily accessible;
clear; and
in plain language.

For further guidance, see Checklist: What to include in your organisation’s privacy notice.

Section 2 – Purpose limitation principle

2.1 What is the purpose limitation principle?

Article 5(1)(b), EU GDPR sets out that personal data shall be collected for:

specified;
explicit;
legitimate purposes; and
will not be further processed in a manner that is incompatible with these purposes.

Controllers should avoid a ‘function creep’ from occurring when processing personal data. This is when personal data is processed for a purpose other than what was intended originally. It is important to be clear from the outset with the data subject on the purpose for which the controller is processing the personal data.

Clarity and transparency around the purposes of processing allows individuals to have a better understanding of how their personal data is used and creates trust about the controller’s processing practices whilst upholding other fundamental processing principles (eg, fairness, lawfulness, transparency, etc).

2.2 Is it possible to process the personal data for a different purpose than otherwise originally intended?

It is possible to process personal data if the original purpose has changed over time and the controller wants to use the personal data for a new purpose which was not initially anticipated. However, before carrying on with the processing, the controller needs to make sure that:

the new purpose is compatible with the original purpose (notably, this may be the case for certain research purposes (see below)); or
the data subject’s specific consent for the new purpose has been obtained; or
the controller can identify a clear legal provision requiring or allowing the new processing in the public interest.

A lawful basis for the new processing must be identified before moving ahead with the processing for the new purpose.

On a practical basis, controllers can see if personal data can be anonymised before using it for alternative use cases, as truly anonymised data falls outside of the ambit of the EU GDPR regime.

2.3 What is a ‘compatible’ purpose?

Under the EU GDPR, the following purposes are considered ‘compatible’ for further processing:

archiving purposes in the public interest;
scientific or historical research purposes; and
statistical purposes.

Recital 159 GDPR sets out how the term scientific research should be interpreted broadly.

If the new purpose does not fall within any of the above purposes, the controller will need to carry out a compatibility assessment to determine whether the new purpose is compatible with the original purpose. In its guidance on the research provisions, the UK’s supervisory authority, the ICO, suggests that the assessment should take into account:

any link between the original purpose and the new purpose;
the context in which the controller originally collected the personal data – taking into account what the data subject would reasonably expect and the controller’s relationship with the data subject;
the nature of the personal data (eg, whether it is particularly sensitive data);
the possible consequences for individuals of the new processing; and
whether there are appropriate safeguards (eg, encryption or pseudonymisation).

The list provided by the ICO is not exhaustive and what should be considered will depend on the specific circumstances.

Section 3 – Data minimisation principle

3.1 What is the data minimisation principle?

This principle, as set out in article 5(1)(c), EU GDPR, makes sure that controllers only process data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

In practice, controllers should only obtain the minimum amount of personal data that is needed to achieve the purpose.

3.2 What is adequate, relevant and limited?

Controllers will need to assess whether they are holding the right amount of data on a case-by-case basis. From the outset, controllers need to make clear the reasons why the personal data is needed.

If the controller is processing higher-risk special category data or criminal offence data, it is particularly important to make sure that the amount of data collected is not excessive.

3.3 How can controllers make sure that they comply with this principle?

Controllers need to review the processing activity regularly to check that the personal data held is still relevant and adequate for the original purpose. Any personal data that is no longer needed should be deleted. Data subjects may also decide to exercise their rights (such as right to erasure or rectification) to have personal data that is no longer needed for the original purpose of processing either deleted or rectified.

Controllers must have adequate processes in place to satisfy these requests and to demonstrate that they are only processing and storing the personal data that is needed. Privacy by design and by default principles must be followed so as to ensure that systems and processes are designed to collect only the minimum personal data that is required.

The examples listed below demonstrate excessive processing of personal data.

If the processing activity only concerns specific individuals, any information collected in relation to other people is likely to be excessive and irrelevant.
Personal data collected on an assumption that it might be needed later is likely to be considered excessive.

Controllers need to ensure that the personal data they are processing is adequate for their purposes. If the processing is not helping to achieve the intended purpose, controllers need to consider whether the personal data they hold may need to be rectified or integrated with additional information, or if instead different data is required.

Section 4 – Accuracy principle

4.1 When is personal data ‘accurate’ or ‘inaccurate’?

Article 5(1)(d), EU GDPR, sets out the requirement that the personal data processed must be ‘accurate’ and ‘kept up to date’.

For example, records showing that an employee still works at a company when they have left will be inaccurate. However, a record showing that they previously worked at the same company will remain accurate.

However, in some instances, there is merit in maintaining a record of mistakes to accurately reflect the order of events. For example, in a medical context, if a patient has been misdiagnosed with a medical condition, it would be considered acceptable to keep the record of the mistake on the individual’s records as it will be relevant for the purpose of explaining treatment given to the patient, or other health problems.

It is paramount to ensure that any mistakes are identified to avoid storing incorrect or misleading information and making decisions based on that information that may in turn have adverse consequences for the data subject.

4.2 Does personal data have to be updated regularly?

It is only necessary to make sure that the personal data is kept up-to-date if the intention is to use the information for a purpose that relies on the personal data remaining current. This includes:

updating employee payroll records when there is a pay rise; or
updating records for a customer’s change of address so that goods are delivered to the correct location.

Although it would be best practice to ask data subjects to regularly update their information, from an operational perspective and applying a risk-based approach, controllers do not need to take excessive measures to keep personal data up to date, unless there is a corresponding privacy risk which justifies this.

4.3 What steps do controllers need to take to ensure accuracy?

If the controller obtains the personal information using their own resources, then it is their responsibility to make sure that the information is accurate and up to date.

However, this may not always be realistic. In its guidelines regarding the data processing principle of accuracy the UK’s ICO recognises that it is impractical to place the onus solely on the controller to check the accuracy of personal data provided by someone else. Therefore, it sets out the following steps that controllers should take to make sure that they abide by the accuracy principle:

accurately record the information provided;
accurately record the source of the information;
take reasonable steps in the circumstances to ensure the accuracy of the information; and
carefully consider any challenges to the accuracy of the information.

However, what are considered ‘reasonable steps’ in the circumstances to ensure the accuracy of the information will depend on how the information will be used and what could go wrong if the information turns out to be inaccurate. Typically, where an organisation is sourcing data in a commercial context it will seek warranties and indemnities from the originating controller as to accuracy (and also lawfulness) of the data.

Section 5 – Storage limitation principle

5.1 What is the storage limitation principle?

Under article 5(1)(e), EU GDPR, data controllers cannot keep personal data for longer than necessary unless it is processed solely for:

archiving purposes in the public interest;
scientific or historical research purposes; or
statistical purposes.

The EU GDPR does not set specific time limits for different types of data. It is up to the controller to assess how long the data is needed for the specified purposes, taking into account any applicable statutory time limits. Otherwise, the time limit simply needs to be justifiable and proportionate in the circumstances.

Organisations should have data retention policies in place which set out the types of record or information held, as well as what it is being used for, and how long the controller intends to keep it and why this is necessary.

Controllers should implement the data retention policy to comply with the record-keeping requirement in Article 30, EU GDPR. It is good practice to implement a system that ensures that organisations are able to:

keep to these retention periods in practice;
review retention at appropriate intervals; and
be flexible enough to allow for early deletion, if appropriate.

5.2 How to set and review the retention periods?

Although the EU GDPR does not provide set time periods for how long controllers can retain different types of personal data, the UK’s ICO provide some useful examples in its storage limitation guidance. For instance, controllers can keep personal for as long as the processing is still happening. However, when processing ends, controllers need to identify valid reasons why this data needs to be kept (eg, to defend potential future legal claims, to comply with statutory and/or regulatory obligations – for instance in relation to tax or health and safety etc). If there are no reasons to continue to hold the data, then controllers should delete it.

Organisations should review the retention periods of personal data at regular intervals to assess whether the personal data is still needed during the processing as well as at the end of any standard retention period. Whilst there are no set rules on how often to review the retention, organisations should be able to justify the retention and how often it is reviewed in order to be compliant with the storage limitation principle. Retention periods of higher-risk/more sensitive data will require more frequent review.

Organisations will need to provide certain details about retention periods in their privacy notices. In addition, individuals can request that organisations consider how long certain personal data needs to be stored for, and organisations must be able to respond to such requests.

5.3 What to do with personal data that is no longer needed?

Organisations should either delete or anonymise the personal data when it is no longer needed. Whilst deletion can mean different things in relation to electronic data, it is important to ensure that data is put beyond use and if the data is deleted from live systems, controllers should ensure that it is also erased from back-ups.

Storing data offline is still processing the personal data and doing so does not mean that data will be deemed deleted. This means that personal data stored offline should be disclosed in response to a data subject’s access request and controllers must still comply with all the other principles and the data subject’s rights in relation to the personal data stored offline.

Organisations can also anonymise personal data so that is no longer ‘in a form that permits identification of data subjects’. However, personal data that has been pseudonymised is not generally considered deleted as it usually permits re-identification.

Section 6 – Integrity and confidentiality (security) principle

6.1 What is the security principle?

Under the security principle, organisations need to make sure that appropriate technical and organisational measures have been put in place to help safeguard against the personal data held being accidentally or deliberately compromised.

This principle should be considered alongside article 32, EU GDPR, which provides that controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk subject to taking into account:

the state of the art;
the costs of implementation;
the nature, scope, context and purposes of processing; and
the risk to the rights and freedoms of natural persons of varying likelihood and severity.

6.2 What do the security measures need to protect and to what level?

Supervisory authorities including Ireland’s Data Protection Commission (DPC) provide guidance on what organisations need to implement to make sure the security measures are compliant, such as that:

the data is only accessed, altered, disclosed or deleted by authorised persons;
the data held is accurate and in accordance with the intended purpose for the processing; and
the data remains accessible and usable, ie, if the personal data is accidentally lost, altered or destroyed, organisations should have systems in place to recover it and prevent any damage or distress to the data subjects.

The EU GDPR requires organisations to implement a level of security that is ‘appropriate’ to the risks presented by the processing activity. This assessment should take into account factors such as:

the nature and extent of the organisation’s premises and computer systems;
the number of staff at the organisation and the extent of their access to the personal data; and
any personal data held or used by a data processor acting on behalf of the organisation.

Organisations also need to consider data security in relation to their supply chain to the extent that processors are given access to personal data.

6.3 What organisational measures do organisations need to consider?

Organisations should aim to implement a culture of security awareness which includes identifying a person with day-to-day responsibility for information security and providing them with appropriate resources to carry out their role effectively.

A well-drafted information security policy, which is monitored and enforced for compliance and is subject to regular review is advisable for most organisations as part of an effective data protection and cybersecurity governance framework. This is an effective way to demonstrate that an organisation is taking steps to comply with the security principle and its broader security obligations.

When implementing security measures, organisations should consider a range of factors, including:

clear designation of responsibilities, communication channels and regular touchpoints between the key stakeholders in the organisation;
identifying and keeping under review the ever-changing security threat landscape (eg, physical, systems and device security threats);
identifying how to protect and recover personal data (eg, device security protocols as part of employee onboarding and offboarding); and
regular review of security measures to make sure that they are appropriate and up to date.

6.4 What technical measures do organisations need to consider?

Technical measures should not only cover the protection of personal data held in computers and networks. A vast amount of security incidents result from:

theft or loss of equipment;
the abandonment of old computers; or
hard-copy records being lost, stolen or incorrectly disposed of.

Organisations should protect both physical and IT security when implementing technical measures. Physical security includes:

making sure that the premises have good quality doors and locks as well as alarms, security lighting or CCTV;
controlling access to the premises and monitoring visitors;
correct system for disposal of paper, electronic and confidential waste; and
securing IT equipment such as mobile devices.

The protection of IT security is sometimes referred to as ‘cybersecurity.’ Organisations should consider the following when considering implementing strong cybersecurity measures:

system security – protecting the network and information systems, including those that process personal data;
data security – making sure that appropriate access controls are in place and that data is held securely;
online security – the secureness of the organisations website and any other online service or application used; and
device security – including Bring Your Own Device (BYOD).

Section 7 - Accountability principle

7.1 What is accountability?

The accountability principle has two key elements. It sets out that controllers are both responsible for complying with the EU GDPR and must also be able to demonstrate that they are compliant. Accountability primarily relates to governance and underpins a number of sections of the EU GDPR related to the documentation and processes that organisations are required to maintain and the privacy management structures that they have in place.

7.2 What do organisations need to do to demonstrate accountability?

Organisations can demonstrate accountability in different ways depending on their size. Best practice would suggest that larger organisations consider implementing a privacy management framework which includes:

strong programme controls in line with the EU GDPR requirements, which refer to processes, procedures, checks, monitoring/audits and systems that are put in place to manage an organisation’s privacy framework;
an appropriate reporting matrix; and
assessment and evaluation procedures.

Smaller organisations will need to implement a similar privacy management framework but on a lesser scale, which includes:

keeping an adequate record system on the practices being carried out by the organisation and the reasons for doing so;
implementing policies and procedures for handling personal data; and
implementing a good training programme for employees to have better awareness and understanding of the EU GDPR requirements.

The EU GDPR does not provide an exhaustive list that controllers need to adhere to in order to demonstrate compliance with the accountability principle. However, the UK supervisory authority’s (the ICO) accountability framework can be a useful tool for organisations to use to assess and track their data protection compliance in a methodical and systematic way for accountability purposes.

The requirements expanded on below are examples of how an organisation can demonstrate compliance. Whether an organisation must implement them depends on the personal data being processed and the profile of the organisation.

Please note that the accountability principle is an ongoing obligation and organisations must review their practices and measures at regular intervals to make sure that they remain effective.

7.2.1 Implement data protection policies

Recital 78, EU GDPR states that implementing data protection policies, where proportionate, is one of the measures that will demonstrate compliance with the accountability principle. As part of their EU GDPR compliance, organisations should also demonstrate that the policies in place have been duly implemented. This includes awareness raising, internal staff training, regular compliance monitoring and audits.

7.2.2 Adopt a ‘data protection by design and default’ approach

Under the EU GDPR, controllers are required to put in place appropriate technical and organisational measures to ensure and to demonstrate compliance with the EU GDPR. Article 25, EU GDPR goes further and requires that such measures are designed to implement data protection principles before or during the processing of personal data. In addition, article 25 requires that controllers implement measures that by default ensure that only the required personal data for a specific purpose is processed. Organisations should refer to the EDPB’s Article 25 Data Protection by Design and by Default guidelines for more detail on how to comply with this requirement.

In its guidance, the EDPB provides some examples on how to meet the requirements of data protection by design and by default. This is not an exhaustive list but it includes the following:

minimising the processing of personal data;
pseudonymising personal data as soon as possible;
erasing personal data when processing is no longer needed;
ensuring transparency in respect of the processing of personal data;
allowing for monitoring the processing; and
implementing security features.

Compliance with this requirement will be different depending on the size of the organisation and the type of processing taking place. The key to achieving compliance is to take an organisational approach that achieves certain outcomes, such as making sure that:

data protection issues have been considered as part of the design and implementation of systems, services, products and business practices;
data protection is an integral component of the core functionality of the processing systems and services;
data is only processed in relation to the original purpose;
personal data is protected in any IT system, product, and/or business practice; and
the identity of the responsible persons for data protection is available within the organisation and to individuals.

7.2.3 Maintain records of processing (ROPAs), if required

Most organisations are required under article 30, EU GDPR to maintain a record of their processing activities (often called a ‘ROPA’). Ireland’s supervisory authority, the DPC, has published guidelines on ROPAs.

The legal obligation to document all processing activities in a ROPA applies to organisations with 250 or more employees. For organisations with fewer than 250 employees, the requirement is to document processing activities that:

are not occasional; or
could result in a risk to the rights and freedoms of individuals; or
involve the processing of special categories of data or criminal conviction and offence data.

Organisations should also document other things to show compliance with the EU GDPR such as but not limited to, the following:

records of consent;
records of personal data breaches;
controller-processor contracts;
location of personal data; and
information required for processing special category data or criminal conviction and offence data.

7.2.4 Carry out data protection impact assessments for high-risk data processing activities

A Data Protection Impact Assessment (DPIA) is a legal requirement under the EU GDPR prior to carrying out processing likely to result in high risk to individuals’ interests.

This document will act as evidence of the steps taken to assess the possible risks associated with the processing activity as well as the steps taken to mitigate them. Please refer to Ireland’s DPC’s guidelines on DPIAs for further guidance.

7.2.5 Appoint a data protection officer, if required

Under the EU GDPR, a data protection officer (DPO) must be appointed if:

the entity processing the personal data is a public authority or body (except for courts acting in their judicial capacity);
the organisation’s core activities require large-scale, regular and systematic monitoring of individuals; or
the organisation’s core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

Please note that even if an organisation does not need to appoint a DPO under the EU GDPR, it should still ensure that appropriate persons are appointed with data protection compliance responsibilities.

Organisations should refer to the EDPB’s guidance on DPOs for more information. See also Checklist: When and how to appoint a data protection officer.

Section 8 – Enforcement action that organisations can face if they do not comply with the data protection principles

The seven data protection principles underpin the EU GDPR and the EU data protection regime overall. As such, their infringement is considered a serious infringement of the EU GDPR.

Organisations that have breached the data protection principles may put controllers at risk of incurring substantial fines and of other enforcement action. Noncompliance with the data protection principles may attract the highest tier of administrative fines of up to €20 million, or 4% of total worldwide annual turnover, whichever is higher. Other enforcement action can include investigations, audits and orders to stop processing and delete personal data that is being processed unlawfully.

Supervisory authorities across the EU have a solid and established practice of enforcing the principles and issuing proportionate monetary penalties against controllers who have failed to comply with the principles.

Additional resources

Guidelines 05/2020 on consent under Regulation 2016/679 |European Data Protection Board (Europa.eu);
Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (which focus on the performance of contract lawful basis) | European Data Protection Board (Europa.eu); and
Guidelines 08/2020 on the targeting of social media users (which focus on the consent and legitimate interests lawful bases | European Data Protection Board (Europa.eu).

Filed under

Topics

Laws

GDPR

Related contract templates: