3. Data minimisation principle
This principle states that the data processor must process the minimum amount of data that achieves its purpose, and the data must not process more than you need. This must be documented during data processing so that you can prove to the authorities that you only used the amount of data you needed. You need to be careful in applying this principle, especially if the data you process is special category data.
Example: a company has advertised that it needs to hire a person as a programmer, then when applicants for this job are given the job application form to fill in, the company asks for data such as whether they are married or not, this behaviour is considered a violation of the data minimisation principle, as the marital status of the person is not required when hiring a person as a programmer, which means that the company is trying to process more data than it needs.
You can collect data that is not useful at the moment, but may be needed in the future, for example, if the company collects information about the blood types of some customers working in hazardous activities such as construction, this information is not really useful at the moment, but may be mentioned in the future if one of the workers is injured and needs a blood transfusion. In this case, the company did not violate the principle of data minimisation, as the additional data it collected might be needed in the future.
We note from the data minimisation principle that only data that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed will be processed.
4. Accuracy principle
You need to make sure that the data you process is true and accurate. If you have collected inaccurate information by mistake, but have corrected the error, it is preferable that this incident is recorded. It is not necessary that all data refer to the current time. For example, if a company records that one of its customers lives in Bucharest, but this person currently lives in Paris (previously lived in Bucharest), this is not considered an inaccuracy by the company, as this person has already lived in Bucharest for some time. This leads to another point, namely that personal data need not always be kept up to date, but this depends on the purpose for which the data is processed. If you are using the data for a purpose now, you should make sure that it is always up to date. For example, if you are a postal service that delivers some letters to your customers’ addresses, you should constantly check that a customer has not changed their home address.
This requires a procedure to edit/modify data when necessary. For example, a customer notifies us that they have changed their email address because their old email address has been compromised. As such, this change must be reflected immediately in our system, otherwise we risk disclosing the data subject’s personal data to others, thus breaching data security.
We adhere to the principle of accuracy that the data we process must be accurate and, where necessary, updated without delay.
5. Storage limitation principle
The GDPR ensures that personal data is not stored for longer than necessary for the purposes for which it is processed. The Regulation does not set a specific time limit that the data controller must respect, as this depends on the time you need to achieve your goal. Your commitment to the principle of storage limitation will help you achieve the principle of accuracy, as not keeping data you no longer need will get rid of outdated data that is not related to the purpose for which the data is processed.
If there is a legal retention period, that period must be respected, as is the case for invoices, 10 years, and payroll statements, 50 years, according to the accounting law.
In order not to violate the documentation laws enforced by the GDPR, you will need to establish a data retention policy. The retention policy tells people how long you will keep each category of data. It may not be necessary for small businesses, but nevertheless, these companies need to constantly monitor stored data and ensure that personal data that is no longer needed is deleted.
In some cases, the principle of storage limitation should not apply, such as cases involving data that the government may need for security purposes. For example, if a person opens an account at a bank, then if that person closes the account, the bank must keep the account data, as it may be needed for security reasons.
Once you have fulfilled your purpose for processing personal data, you can delete or encrypt it. You should be aware that although you delete personal data from the internet, but still keep it online, this is still data processing. Therefore, if you want to apply the principle of data limitation correctly, you must permanently delete data, whether online or offline. Another method instead of deletion is data encryption. Encrypted data in the context of GDPR is still personal data and must be treated equally well.
There is another case, other than data needed in the future, which allows the processor to keep them for a longer period of time after the purpose of their processing has been achieved. This is the case where the purpose of processing personal data is statistical or for the fulfilment of public interests. This should be the only purpose in order not to violate the GDPR. If you have other purposes than the above, this is a violation of the laws.
We note in the principle of storage limitation that data will not be stored for longer than is necessary for the purposes for which it is processed, and where the law does not provide for a retention period, we will, through an internal procedure, set a period as short as possible.
6. Principle of integrity and confidentiality
This principle in the GDPR ensures the security of personal information. When you process personal data, no one should be able to see it, including people working in your company. You need to have an adequate level of cyber security that is capable of protecting your data. You need to know that security of personal data is one of the key things in your company, because leaking any personal data belonging to citizens can expose them to real danger, and sometimes this risk is tantamount to an attack.
What needs to be protected?
Every aspect of data processing must be protected. This means you need to make sure of several things, such as:
- no one has access to personal data (including company employees, except those who are authorised),
- you need to be able to protect your data against damage and
- you must be able to retrieve them in case of damage.
GDPR obliges us to ensure that our security measures are working well.
The GDPR requires data controllers to carry out periodic tests to ensure the level of protection within the company, but it does not specify how these tests are carried out as it depends on your business environment. It is very important to test all staff and make sure they have sufficient understanding and awareness of GDPR principles. Regular training of employees through GDPR training is very useful in this respect.
We note under the principle of integrity and confidentiality that personal data are processed in a way that ensures adequate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by taking appropriate technical or organisational measures.
Read more about cybersecurity best practices (infographic included)