Otherwise known as the measuring stick by which your some of your GDPR compliance will be assessed, the six core principles of the GDPR are the basic foundations upon which the regulation was constructed. Unquestionable and pure in nature, they are somewhat rarely acknowledged for one simple reason; five of the six have no real application in helping to peddling products and solutions.
Thou Shalt GDPR
Buried in the 88 pages of the GDPR under chapter two article five, the biblical-styled principles are set out in a far less dramatic fashion than they possibly deserve.
1. Personal information shall be processed lawfully, fairly and in a transparent manner - Jargon deciphered, principle one specifically nods toward the concept of clear consent. In any situation where personal information is collected, it should have the demonstrable consent of the data subject. Opt-in tick boxes are still permitted but the regulation explicitly prohibits consent by non-action or opt-out boxes. The death of those confusing subscription choices at the bottom of forms is on the horizon.
2. Personal information shall be collected for specified, explicit and legitimate purposes – Where personal information is collected, it must be communicated to the data subject what the purpose for its collection is and the subsequent processing. Organisations will need to become much clearer with data subjects about what their personal information will be used for.
3. Personal information shall be adequate, relevant and limited to what is necessary – When collecting personal information, the data controller must only collect personal information which is absolutely mandatory for the specified purpose. For example, if personal information is collected to send me a magazine subscription, there is no requirement for my date of birth.
4. Personal information shall be accurate and, where necessary, kept up to date – It is now the obligation of the data controller to ensure, to the best of their abilities, that the information collected is correct. This may seem difficult and even trivial, however what the regulation is trying to address, are situations whereby processing incorrect personal information may cause distress or harm to data subjects.
5. Personal information shall be retained only for as long as necessary – Marketing teams wince at this principle as though it is the sourest grapes on the vine. All personal information must now have an expiration date applied, appropriate to its collected purpose. Indefinite retention is unlikely to ever entertain the patience of the supervisory authority.
6. Personal information shall be processed in an appropriate manner to maintain security – The principle which has attracted much focus requires data controllers and processors to ensure their systems maintain the confidentiality, integrity and availability of data processing systems.
21st Century Snake Oil
The GDPR was designed to deliberately shy away from mandating the need for technological solutions. It accepts and even advocates that in most cases organisational controls provide sufficient protection. For example, the modification of existing online web-forms, creating a policy for the deletion of expired personal information or privilege access management to ensure the confidentiality and integrity of processing systems.
Focussing on just one principle by way of seeking to sell solutions does an injustice to the purpose and spirit of the regulation as a whole.
The GDPR is not really supposed to create a feeding-frenzy of solution purchases, nor is it there to induce stress through budget-busting administrative fines if you don’t buy solutions. The six core principles show us that it's simply to ensure that the personal information and attributes of people (like you and I) are given the care and protection they deserve and we expect.
Albert Einstein once said “Any Fool Can Know, the Point is to Understand”, so put your wallet away, it’s probably not required.