The European Union’s General Data Protection Regulation, which goes into effect on May 25, 2018, represents a revolution in data protection laws for citizens across Europe. The regulation makes it clear that the personal data is any information relating to an identified or identifiable natural person, including their IP and email addresses.
In order to meet the new regulations, companies will need to implement appropriate technical and organisational measures for ensuring the security of data processing.
The new principles include:
- Fair, lawful and transparent processing.
- The purpose limitation principle.
- Data minimisation.
- Data retention periods.
- Integrity and confidentiality.
Today we will focus on the first three of them.
- Fair, lawful and transparent processing
The GDPR requires that personal data be processed lawfully, fairly and in a transparent manner in relation to the data subject. The data processor must have legitimate grounds for collecting and using the personal data, and they can’t use the data in ways that would have unjustified adverse effects of the data subects.
The data processor is also obliged to provide data subjects with information about their personal data being processed in a transparent, concise, and intelligible manner. Language used to inform data subjects should be clear and plain, and the individual has to be informed before their data is collected.
- The purpose limitation principle
Under the GDPR, the data can only be collected for specified, explicit and legitimate purposes and may not further processed in a manner that is incompatible with those purposes.
Using personal data is only allowed if and to the extent that it is compliant with the original purpose for which it was collected. Further legal grounds or consents are required in order to be allowed to process the data for another purpose.
If a company has, for example, gathered e-mail addresses from customers who agreed to receive a monthly newsletter, it cannot use this data to send them e-mails to, e.g. invite them to take part in an event.
However there is one exception here: further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.
- Data minimisation
Personal data should be collected for specified, explicit and legitimate purposes and must be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.
In practice this means that it is only permissible to gather and use the data that is actually needed to carry out specific purposes. If the purpose is to send the customer a product he or she ordered, it will be relevant to ask for their home address, but it would be excessive to ask them about, e.g., their job position or education.
It is also forbidden to keep data longer than it is necessary to perform those purposes.