Article 5 of the General Data Protection Regulation (GDPR) sets out key principles which lie at the heart of the general data protection regime. These key principles are set out right at the beginning of the GDPR and they both directly and indirectly influence the other rules and obligations found throughout the legislation. Therefore, compliance with these fundamental principles of data protection is the first step for controllers in ensuring that they fulfil their obligations under the GDPR. The following is a brief overview of the Principles of Data Protection found in article 5 GDPR:

Lawfulness, fairness, and transparency: Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.

Purpose Limitation: Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.

Data Minimisation: Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum (see also the principle of ‘Storage Limitation’ below).

Accuracy: Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and the source of that information.

Storage Limitation: Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

Integrity and Confidentiality: Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Accountability: Finally, the controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the DPC.

In order to process personal data you must have a lawful basis to do so. The lawful grounds for processing personal data are set out in Article 6 of the GDPR. These are:

• The consent of the individual;
• Performance of a contract;
• Compliance with a legal obligation;
• Necessary to protect the vital interests of a person;
• Necessary for the performance of a task carried out in the public interest; or
• In the legitimate interests of company/organisation (except where those interests are overridden by the interests or rights and freedoms of the data subject).

Businesses and organisations that process personal data must provide individuals with information on the type of processing that is taking place and who is carrying it out. At a minimum, this information must clearly state:

1. Who you (the organisation) are.

2. Why you are processing the data.

3. What legal basis you rely on to legitimise the processing.

4. Whether or not the data will be transferred on to other organisations or individuals.

5. How long the data will be stored.

6. The existence of the individual’s rights under data protection, including the rights to access, correction, erasure, restriction, objection and portability.

The following information must also be supplied, if it is the case that your business or organisation comes within the scope of these provisions:

• If you are required to appoint a Data Protection Officer then the contact information of the DPO must be provided.
• If you are relying on legitimate interests as your legal basis for processing, you must explain what the legitimate interest is.
• If you are transferring the data outside of the EU, you must explain why.
• If you rely on consent as your legal basis for processing, you must explain how consent can be withdrawn.
• If there is a legal obligation to provide the data, that must be explained.
• If you are processing by means of automated decision-making, you must provide information about the logic underpinning the automated process, and any consequences arising out of a decision that has been arrived at through automated means. Be aware that the right to object to automated processing in the guidance for individuals section is one of the rights granted to individuals under the GDPR.

Further information on Transparency is available in the Article 29 Working Party Guidance.