3 GDPR Principles: Accuracy, Retention, and Transparency
We’ve shared many details surrounding the General Data Protection Regulation (GDPR) enforcement date beginning 25 May 2018 — and there is a lot of information out there. Perhaps a question continues to pop up: Why the GDPR?
Ultimately, the GDPR codifies principles and practices to help secure the personal data of the EU citizenry by holding organisations accountable for the data they collect, process, and store.
With that in mind, let’s explore three principles of this legislation first addressed by the Data Protection Act of 1998 (DPA):
Accuracy: While DPA does not define “accurate,” it qualifies inaccurate data as misleading or incorrect. The DPA established this principle (and the GDPR codifies it) to encourage organisations do four things:
- Implement “reasonable steps” to ensure personal data accuracy
- Verify clear sources of personal data
- Consider challenges to data accuracy
- Consider necessary updates to data
What are reasonable steps towards accuracy? It depends on the nature of the data and what it’s used for. When data accuracy is critical to services (those that greatly impact individuals or the public), organisations should place greater effort to ensure their accuracy.
When information sources are reliable or well-known, it’s reasonable to assume the data is reliable. Data should still be double-checked when serious consequences of error would severely impact individuals, or when common sense points to a mistake.
Challenges to accuracy should be recorded and investigated. When data is verified as correct, organisations should document the challenge to help comply with other GDPR and DPA principles.
How often should you update the data? Again, it depends on the data. If you’re in human resources and an employee earns a raise or promotion, this data should be reflected immediately, so she receives the salary and benefits commensurate with her new status or position.
Retention: The DPA established practices and principles to encourage organisations to:
- Review how long personal data is stored
- Determine why you have data and how long you need it
- Securely erase the data you no longer need
- Update, archive, or delete this data on scheduled cycles
Personal data held longer than necessary is excessive, not to mention irrelevant and inefficient. It also increases organisational risk should a breach occur. Review your data regularly to determine its relevancy to your organisation and the individuals you serve.
Stay ahead of the data tsunami: If you need it, secure it. If it’s old, update it. If you don’t need it, delete it.
Transparency: GDPR requires organisations to conduct information audits and map data flows. You must also document the personal data you store, its source, what you’re doing with it, and with whom you share it.
- Legality: Businesses must identify and document the legal bases for processing personal data.
- Document Consent: How do you request and record consent? Are your data systems capable of recording and managing these consent documents? GDPR requires this review for your organisation. And if your business delivers online services directly to minors, you must have data systems capable of securing consent from their guardian.
- Registration: Lastly, your organisation must register with the Information Commissioner’s Office.
If you have additional questions regarding these principles, FileFacets can help you discover the answers for your organisation. FileFacets provides the platform and methodology to help businesses comply with the EU’s GDPR.