To process your data in accordance with the GDPR, you must comply with six key principles. These principles govern the entire data processing lifecycle from data collection practices to data storage and data deletion. Have a look at this blog post if you want to know more about these principles.
Lawfulness, fairness, transparency, the pillars of personal data processing
Personal data of your customers, your prospects and your employees are key to your operations and an asset to your organisation.
In order to be GDPR compliant, you will need to respect a whole set of rules. And this starts with the way you collect personal data.
These rules can be summed up in three words:
- Lawfulness. Collect personal data, yes, but in compliance with the law: forget extortion, blackmail or the purchase of illegal databases.
- Fairness. You can obtain personal data directly from the data subject, or from a third party, but not without his/her knowledge. This is why activities such as database rental or scraping are rigorously supervised.
- Transparency. Be prepared to inform individuals about what you do with their personal information and their privacy rights. You will need to highlight your practices in your privacy policy and have a record of data processing up to date. Be ready to highlight your practices to be able to build trust.
In addition, the GDPR introduces the accountability principle. You must be able to demonstrate you are compliant with the law. Such measures include in particular: adequate documentation on what personal data are processed, how, to what purpose, how long, etc.
Limit the purposes for a GDPR-compliant use of personal data
You are not going to build a database just for the sake of it. For example, you don’t run marketing campaigns because you love writing emails, right? You run marketing campaigns because you want to promote your products with your prospects and your customer base.
You need to identify precisely the objectives you are pursuing (HR operations, customer relationships, etc.). This will determine everything: what data you need, for what purpose, and for how long.
Alternatively you cannot expect to collect data:
- for an illicit purpose. For example to manage an outlaw business activity (drug trafficking or fake diplomas…);
- for a vague purpose. Data needs to be collected for specific purposes (e.g. necessary to provide a service) and should not be kept because you think you might needed someday in the future.
Minimisation, a policy of collecting and using data reduced to the strict minimum
Once you define your objectives, it is easier to determine what kind of data you need.
For example, when complying with the GDPR, this is what “protection of personal data” means:
- to make telephone campaigns, you do not necessarily need the e-mail address or photo of your prospects. Your personal data processing forms should therefore not include these fields;
- a service provider in charge of testing the technical functioning of your corporate social network does not need to have the personal details of your employees;
- and so on.
But is it really that bad to hold more data than you need?
Yes, because:
- you will violate the principle of data minimisation;
- you will incur costs (IT security, database maintenance, etc.) related to the storage of useless data;
- in the event of a computer attack by a hacker, you will be exposing the privacy of the people concerned by the processing of personal data;
- you are jeopardising your e-reputation. Your customers and prospects may lose confidence in you if they find out what you know about them.
Accuracy, the prerequisite for GDPR-compliant data processing
GDPR requires you to manage accurate and up-to-date databases.
This includes giving people whose data you process the ability to notify you of errors and changes. You will also need to respond to notifications that you receive to rectify or delete incomplete, inaccurate or obsolete data.
Restrict data retention period
You cannot keep personal data forever.
GDPR will require you to set an appropriate retention period for personal data. After this period, the data is no longer useful for the purpose you are pursuing.
It is up to you to evaluate your needs and document them in order to prove the validity of the duration you have chosen.
In some cases, you can rely on:
- reference systems developed by the DPA. The protection of personal data in Belgium also requires this type of tool;
- retention periods imposed by specific legislation. For example concerning HR operations or litigation.
What happens when your data retention period (including any legally required archiving periods) is reached?
Depending on the case, data will be:
- permanently deleted from the databases. The company no longer needs it and therefore keeps no trace of it;
- anonymised. This will allow you to continue to conduct statistical and aggregate analysis.
Security, the basic foundation of a personal data protection policy
You now understand that processing personal data can be a risky business.
You are probably already familiar with the concept of cyber security. You need to protect your assets, your IT systems and your servers from external attacks.
But you do so to protect your interests.
The GDPR requires you to ensure the protection of the personal data that you holed. You will therefore have to apply a security policy adapted to the context and the identified risks.
Beware, if a data breach occurs, you may have to notify the regulator. Failure to do so when required exposes you to a sanction from the DPA. As well as any shortcomings in your security policy.
Conclusion: Are you ready to comply with the GDPR’s 6 key principles?
To comply with the 6 key principles, you will need to put in place a rigorous personal data management policy.
This policy will concern all levels of the data processing activities: your internal departments, your vendors and your data processors.
You can rely on proven software to make your life easier. For example, Admeet’s solutions will allow you to manage your website GDPR compliance.