The General Data Protection Regulation (the “GDPR“ ) has seven fundamental principles that apply to the collection and processing of personal data. These are not fuzzy guidelines - they are legal rules - so it’s important to get to know them.
1. Lawfulness and Transparency. Meaning that there has to be a legal reason or justification to gather data, and the “data subject” (the person whose data it is) needs to be informed about the processing of his or her data.
This is what privacy notices are for
2. Specific and Limited Purpose. Data must be collected for only “specified, explicit and legitimate purposes” - and for no other purpose.
For example, data gathered for the specific purpose of completing a hotel reservation (a “specified purpose”) can’t then be used for marketing (without the customers consent for that new purpose).
3. Data Minimization. Companies should collect only the data they need to fulfill a specified purpose. . That’s it - companies can’t hold any irrelevant data.
For example, with hotel reservation data, if the company doesn't need to know date of birth or gender - they shouldn’t collect it.
4. Accuracy. Personal data must be kept accurate and up to date. Companies must take all reasonable steps to ensure the personal data they hold is not incorrect, or could be misleading.
For example, if a company has the incorrect address for a customer or user, they should correct it!
5. Storage Limitation. There’s a time imitation - personal data can only be held for as long as is necessary for the purposes for which the personal data are processed. It must be deleted (or anonymized) if it’s no longer required.
Once the hotel no longer requires the data for the reservation - i.e. for tax reporting etc. - it should be deleted.
6. Integrity and Confidentiality. Data must be kept secure.
For example, a company could encrypt the data to protect it from data breaches.
7. Accountability. Companies are on the hook if they mess up 1 - 6 - it’s up to companies to prove that they are in compliance and they have to keep good records that show how they’ve complied.
Lawfulness and Transparency
Specific and Limited Purpose
Integrity and Confidentiality