Published on Jan 11, 2021
Considerable debate has always occurred over the issue of whether the EU General Data Protection Regulations (EU GDPR) contains six principles or seven. Fast forward to 2021 - the UK has now left the European Union (EU) with a trade agreement, which includes a bridging period to allow data to flow from the UK to the EU for six months whilst the adequacy agreement is decided.
Brexit has resulted in two versions of the GDPR, one for the remaining EU nations (EU GDPR) and one for the UK (UK GDPR). Despite the changes, the six or seven (depending on which side of the fence you sit) principles remain at the heart of the UK GDPR, embodying the spirit of the EU/UK data protection regime.
Getting back to the debate in question, it is easy to see the basis for disagreement. The first six principles (which will be outlined below) are set out in art.5(1).
Art.5(2) then states:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
Is art.5(2) a ‘principle’ or simply a statement relating to who is accountable for the six principles listed in art.5(1)?
Before considering this question, let us look at the agreed six principles in more detail.
The meaning of the principles under art.5(1) are as follows:
Lawfulness, fairness, and transparency
To ensure the grounds for processing personal data are lawful, you need to understand the UK GDPR and Data Protection Act 2018 and how they work together. Before processing data, you must identify that you have a lawful basis to do so. The lawful basis for processing is set out in art.6[C1] of the UK GDPR.
For transparency purposes, your privacy statement should outline the circumstances in which you will collect data, how it is collected, and the purposes for which it will be used for. You must always consider the effect processing will have on the data subject and never mislead or deceive them. Furthermore, special consideration must be given to ‘special categories’ of personal data, which is covered in art.9 (1) [C2] which states:
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
Note: Art 9 (2) goes on to list ten detailed exceptions to art.9 (1).
You need to be honest about why and how you are collecting personal data and honour what is set out in your privacy statement. The UK GDPR states that the purpose of any data collection must be “specified, explicit and legitimate”.
Certain organisations need to keep records of the purposes for which they are processing personal data. However, even if you are the controller of a small entity, it is good practice to document all of your purposes. Doing so will ensure you have proof of compliance if you are ever subject to a complaint or data breach in the future.
Personal data collection should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. This means only collecting what is necessary to carry out that particular processing operation at that precise time.
If additional personal data is required at a later date it should be collected at the time it is required and not before. For compliance purposes, make sure you have a detailed written policy around the extent of data collection and share this with all staff involved with collecting personal data.
You must ensure the data your organisation retains is accurate and complete. According to the Information Commissioner’s Office (ICO) to comply with the accuracy principle you should:
Although the term ‘accurate’ is not defined in the UK GDPR, the Data Protection Act 2018 states that ‘inaccurate’ means “incorrect or misleading as to any matter of fact”.
You should not retain personal data in a form that permits identification for any longer than you need to before it is stored in a secure format. No time-limits are set out in the UK GDPR, it is left to your judgment as to how long data needs to be kept. Sometimes professional regulatory requirements will dictate this, for example, your accountant will keep details of your self-assessments on file for five years as HMRC states this is how long records must be kept for.
A solicitor or will writer will keep your will on file until you die. For some organisations, the period for keeping a person’s data will extend to the length of time they are a customer. What is important is that you put a retention policy in place, which includes the reasons behind the policy and ensures it is documented and communicated throughout your organisation.
You must handle personal data “in a manner [ensuring] appropriate security”, which includes “protection against unlawful processing or accidental loss, destruction or damage”. This principle requires that alongside physical security you have robust cyber and data security procedures in place, including the ability to encrypt and/or pseudonymise personal data wherever possible and update cybersecurity methods regularly.
Is accountability a UK GDPR principle? According to the UK regulator, the ICO, it is.
“Taking responsibility for what you do with personal data, and demonstrating the steps you have taken to protect people’s rights not only results in better legal compliance, it also offers you a competitive edge. Accountability is a real opportunity for you to show, and prove, how you respect people’s privacy. This can help you to develop and sustain people’s trust.
Furthermore, if something does go wrong, then being able to show that you actively considered the risks and put in place measures and safeguards can help you provide mitigation against any potential enforcement action. On the other hand, if you can’t show good data protection practices, it may leave you open to fines and reputational damage.”
Although some writers have not included accountability as one of the UK GDPR principles, the ICO states that the provisions of art.5(2) do constitute a principle. However, demonstrating accountability is required throughout UK GDPR regardless.
Whether there are six or seven UK GDPR principles remains open for debate. What is important is that Controllers and Processors understand they have a legal obligation to abide by the principles and provide evidence of compliance.
Let us know whether you think there are six or seven UK GDPR principles, we would love to hear your view in the comments section below.
Explore the GDPR & FOI certified training from BCS, the Chartered Institute for IT, as well IAPP accredited GDPR and privacy management training courses we offer. To learn the essential aspects of data protection and privacy law training, book a flexible, certified online course.
COVID-19: FLEXIBLE, LIVE ONLINE BCS & IAPP TRAINING NOW AVAILABLE - PLEASE CONTACT FOR DETAILS