Data Protection Principles

And What Do They All Mean?

Under the UK’s Data Protection Act 1998, eight data protection principles existed at the centre of the legislation, but by 2018 these principles were developed and furthered by the European Union’s GDPR and made a part of UK law within the DPA 2018.

For some reason, since the introduction of the GDPR in 2018, there appears to have been some confusion over both the definition and number of principles set forth. You may have even encountered resources with titles such as ‘The Six Data Protection Principles’ etc., but we’re here to set the record straight, help you understand how many data protection principles are there, and what a data breach can mean for you and your business .

The Data Protection Act 2018 and GDPR

With a great deal of overlap between the DPA 1998 and 2018, many of the current seven principles of data protection are only slight in their difference from the previous eight. Perhaps one of the reasons why there seems to be some confusion over the number of data protection principles could be the differentiation between the first six and the final ‘accountability principle’.

This final ‘accountability principle’ is an element of the data protection legislation that is designed not only to enforce specific rules upon organisations, but to help build a security conscious culture in which rights and obligation are fundamental considerations throughout every part of the personal data lifecycle.

Below we have an overview of what the seven data protection principles are, and how these current seven principles of data protection have been incorporated and developed by GDPR. With all of these principles, the accountability and responsibility of organisations is legislatively emphasised.

The Seven Principles

Having established the answer to how many data protection principles are there, it’s worth delving a little further to understand what functions these principles serve.

At the heart of both the GDPR and the DPA are principles that are designed to act as the foundations upon which data protection legislation is built, informing the ways in which all organisations should adhere to data protection and compliance issues.

1. Lawfulness, fairness and transparency

Data should be processed lawfully, fairly and transparently, in a way in which individuals can understand and does not infringe upon the data subject’s rights or legal protections. Language explaining data processing to subjects must be clear, plain and accurate regarding what a data subject is consenting to.

2. Purpose limitation

Information that is collected for a specifically stated purpose should not then be processed in a manner incompatible with those previously stated purposes. Meaning data collection must have a rationale that does not significantly deviate from the data subject’s agreed upon processing limits.

It should also be noted that further processing on the grounds of public interest, scientific or historical research or for statistical purposes is not considered ‘incompatible’ and thus permitted.

3. Data minimisation

Data is adequate, relevant and limited to what is necessary for the intended processing. Ensuring organisations are not collecting extraneous information they don’t need, merely for the purpose of having it.

4. Accuracy

Information is kept up to data, and reasonable measures have been taken to ensure data is accurate, and that inaccurate information be either rectified or erased.

5. Storage limitation

Information must be kept for no longer that necessary for the intended purposes and organisations wishing to keep personal data indefinitely will likely be in violation of this principle.

As with ‘purpose limitation’, there are grounds (scientific, historical etc.) upon which the storage of data is more ‘open’, providing the rights and freedoms of data subjects are not subject to infringement.

6. Integrity and confidentiality

Data should be processed in a way that ensures the appropriate level of security and organisations should take adequate measures to protect against any breach. Reasonable technical and organisational measures should be in place to protect data, such as encryption, segmentation, anonymisation and access controls.

7. Accountability

Organisations shall be responsible for compliance, whilst also being able to demonstrate to the supervisory authority their compliance with data protection law.

Failure to Comply

Fines

Failure to comply with these data protection principles can result in extremely significant fines being handed down from the relevant authorities, which in the UK is the ICO (Information Commissioner's Office).

Under GDPR, data protection violations can result in a maximum fine of 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher. These fines are applied in what is referred to as a ‘tiered approach’, with the previously noted amount being the ‘higher maximum’, and a ‘standard maximum’ being 50% of the higher.

Data Breaches

Though the phrase ‘data breach’ may conjure images of hackers exfiltrating data out of company servers, data breaches can encompass a variety of incidents, including the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

There can be many contributing factors that lead to a breach of personal information, though of these contributors, one easily avoidable issue stands out: human error.

In the first 8 months following the introduction of GDPR there were approximately 10,600 data breach notifications made to the various supervisory authorities, many of which could likely have been avoided.

With the cost of breaches continuing to rise, organisations can no longer ignore the role that ignorance, negligence and a lack of training play in facilitating data breaches. From the cost of technical expertise required for recovery, to the incalculable damage that a data breach can cause to a company’s reputation, information security awareness is now a business-critical matter.

Research based upon official ICO data suggests that up to 90% of all cyber data breaches were, in 2019, a result of human error. Ranging from malicious and revenge motivated inside actors, to the more persistent threat of phishing attacks, information security cannot be tackled with technological solutions alone.