Data Protection Principles
And What Do They All Mean?
Under the UK’s Data Protection Act 1998, eight data protection principles existed at the centre of the legislation, but by 2018 these principles were developed and furthered by the European Union’s GDPR and made a part of UK law within the DPA 2018.
For some reason, since the introduction of the GDPR in 2018, there appears to have been some confusion over both the definition and number of principles set forth. You may have even encountered resources with titles such as ‘The Six Data Protection Principles’ etc., but we’re here to set the record straight, help you understand how many data protection principles are there, and what a data breach can mean for you and your business .
The Data Protection Act 2018 and GDPR
With a great deal of overlap between the DPA 1998 and 2018, many of the current seven principles of data protection are only slight in their difference from the previous eight. Perhaps one of the reasons why there seems to be some confusion over the number of data protection principles could be the differentiation between the first six and the final ‘accountability principle’.
This final ‘accountability principle’ is an element of the data protection legislation that is designed not only to enforce specific rules upon organisations, but to help build a security conscious culture in which rights and obligation are fundamental considerations throughout every part of the personal data lifecycle.
Below we have an overview of what the seven data protection principles are, and how these current seven principles of data protection have been incorporated and developed by GDPR. With all of these principles, the accountability and responsibility of organisations is legislatively emphasised.
The Seven Principles
Having established the answer to how many data protection principles are there, it’s worth delving a little further to understand what functions these principles serve.
At the heart of both the GDPR and the DPA are principles that are designed to act as the foundations upon which data protection legislation is built, informing the ways in which all organisations should adhere to data protection and compliance issues.
- Lawfulness, fairness and transparency
Data should be processed lawfully, fairly and transparently, in a way in which individuals can understand and does not infringe upon the data subject’s rights or legal protections. Language explaining data processing to subjects must be clear, plain and accurate regarding what a data subject is consenting to.
- Purpose limitation
Information that is collected for a specifically stated purpose should not then be processed in a manner incompatible with those previously stated purposes. Meaning data collection must have a rationale that does not significantly deviate from the data subject’s agreed upon processing limits.
It should also be noted that further processing on the grounds of public interest, scientific or historical research or for statistical purposes is not considered ‘incompatible’ and thus permitted.
- Data minimisation
Data is adequate, relevant and limited to what is necessary for the intended processing. Ensuring organisations are not collecting extraneous information they don’t need, merely for the purpose of having it.
Information is kept up to data, and reasonable measures have been taken to ensure data is accurate, and that inaccurate information be either rectified or erased.
- Storage limitation
Information must be kept for no longer that necessary for the intended purposes and organisations wishing to keep personal data indefinitely will likely be in violation of this principle.
As with ‘purpose limitation’, there are grounds (scientific, historical etc.) upon which the storage of data is more ‘open’, providing the rights and freedoms of data subjects are not subject to infringement.
- Integrity and confidentiality
Data should be processed in a way that ensures the appropriate level of security and organisations should take adequate measures to protect against any breach. Reasonable technical and organisational measures should be in place to protect data, such as encryption, segmentation, anonymisation and access controls.
Organisations shall be responsible for compliance, whilst also being able to demonstrate to the supervisory authority their compliance with data protection law.
Failure to Comply
Failure to comply with these data protection principles can result in extremely significant fines being handed down from the relevant authorities, which in the UK is the ICO (Information Commissioner's Office).
Under GDPR, data protection violations can result in a maximum fine of 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. These fines are applied in what is referred to as a ‘tiered approach’, with the previously noted amount being the ‘higher maximum’, and a ‘standard maximum’ being 50% of the higher.
Though the phrase ‘data breach’ may conjure images of hackers exfiltrating data out of company servers, data breaches can encompass a variety of incidents, including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
There can be many contributing factors that lead to a breach of personal information, though of these contributors, one easily avoidable issue stands out: human error.
In the first 8 months following the introduction of GDPR there were approximately 10,600 data breach notifications made to the various supervisory authorities, many of which could likely have been avoided.
With the cost of breaches continuing to rise, organisations can no longer ignore the role that ignorance, negligence and a lack of training play in facilitating data breaches. From the cost of technical expertise required for recovery, to the incalculable damage that a data breach can cause to a company’s reputation, information security awareness is now a business-critical matter.
Research based upon official ICO data suggests that up to 90% of all cyber data breaches were, in 2019, a result of human error. Ranging from malicious and revenge motivated inside actors, to the more persistent threat of phishing attacks, information security cannot be tackled with technological solutions alone.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
The Cyber Security Breaches Survey 2020 provides many insights into the current state of cyber security. Blog by Hut Six Security
What is the Punishment for Breaking the Data Protection Act? Blog by Information Security Awareness Training provider Hut Six Security
How Cyber Criminals are Exploiting the Coronavirus - From Critical Infrastructure to Leaked Video Conferences. Blog by Hut Six Security
UK supermarket Morrisons found not guilty for insider threat data breach. Blog by information security awareness training provider Hut Six Security
What is a phishing text message? "smishing" is still a significant threat. Blog by Information Security training provider Hut Six Security.
It has been reported that a significant cyber attack has been launched against the World Health Organisation. Information Security blog by Hut Six Security.
Information security tips to help safeguard any organisation. Blog by Information Security Awareness Training Provider Hut Six Security.
What is phishing and how can you avoid it? The essential Anti-Phishing Training Guide from information security awareness platform Hut Six Security.
In times of sudden change, be it a natural disaster, electronic failures or global pandemics, having a business continuity plan is essential. But what should you do if you don't have one?
Phishing attacks are using the COVID-19 Coronavirus as a means of attracting unsuspecting individuals. Information Security blog from Hut Six Security.