Data processing principles

The General Data Protection Regulation (GDPR) introduces a series of key principles that describe how businesses should behave when processing individuals' personal data.

Those principles are described very clearly and concisely in Article 5(1) and the associated Recital 39).

I've reproduced each of those principles below and added some possible upshots of each one to illustrate the type of impact they may have on your small or medium sized enterprise (SME):

Lawfulness, fairness and transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

Article 5(1a) - Principles relating to processing of personal data GDPR

Some practical upshots for SMEs:

  • You need to gather consent for the processing of personal data in some cases
  • Where consent is required, the consent forms need to be easy to read and describe exactly what you plan to do with the data
  • You mustn't use the data in a way the individual was unlikely to expect from the consent they gave

The topic of consent is covered in much greater detail on the Consent page.

Collected for a given reason and not used in other ways

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

Article 5(1b) - Principles relating to processing of personal data GDPR

Some practical upshots for SMEs:

  • Where consent was required and collected, you need to keep a record of exactly what permissions the individual gave and ensure you only process their data in ways they have consented to
  • You can't come up with new ways to use that data that are outside the original consents; you'll need to ask for a further consent to use the data in that way
  • If you've joined the big data revolution, you'll probably need to look at anonymising and aggregating your data, or else seek consent for each new way you think of for processing that data that falls outside the original consents.

Data minimisation

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

Article 5(1c) - Principles relating to processing of personal data GDPR

Some practical upshots for SMEs:

  • If you have a customer profile page on your website or in your CRM, it almost certainly contains information you don't need and should therefore get rid of. Ask yourself, do you need to know a person's gender, date of birth or even their telephone number to interact with them?

Kept accurate and up to date

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

Article 5(1d) - Principles relating to processing of personal data GDPR

Practical upshots for SMEs:

  • When you're informed of an update to an individual's data you need to update all operational systems (e.g. CRM, line of business software, accounting software) with that new data immediately.
  • Where you find a piece of information is incorrect, e.g. if you get returned post or emails, you need to delete the incorrect data from all operational systems immediately.
  • With regards to historic data, it's possible that the section " are inaccurate, having regard to the purposes for which they are processed" could be read as meaning there is no need to go and update every old invoice and report that features the outdated data, as the purpose of that data is to provide a historic record rather than for use in further new processing.

Only kept for as long as actually needed

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

Article 5(1e) - Principles relating to processing of personal data GDPR

Practical upshots for SMEs:

  • You can't keep personal data forever, once you've used it for its original purpose you must get rid of it
  • Therefore, you need to know when you got the data originally and when the business no longer needs it.
  • Where data cannot be assigned an 'expiry date' initially, a process of periodic review will also needed to check for data that is no longer needed

There's some useful further reading on this in Recital 39.

Kept secure and processed securely

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Article 5(1f) - Principles relating to processing of personal data GDPR

Some possible practical upshots for SMEs

  • IT network security needs to be well managed
  • No more emailing of spreadsheets of customer/supplier details unless you are using encrypted email (use links to files in password protected locations instead)
  • Hard drives should be encrypted
  • Data may need to be encrypted in databases
  • Filing cabinets should be locked and issuing of keys controlled and recorded
  • Personal data mustn't be left lying around on desks if people without permissions to see that data could pass by (cleaners, couriers, etc.)
  • PCs need to be password protected and locked when unattended
  • Staff need to be well trained in secure data handling techniques

It's your responsibility to prove you complied

In addition to points in 5(1), Article 5(2) also adds that:

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Article 5(2) - Principles relating to processing of personal data GDPR

In other words, you not only have to meet the principles above, you also have to show that you are meeting them and probably also prove that you have done so historically, so that should a historic data breach be identified you can demonstrate you had robust processes in place at the time and that those processes were actually being followed.

Some possible practical upshots for SMEs

  • GDPR compliance processes need to be documented
  • Records of data access should be kept
  • Records of things like IT network security auditing and PC security patch installation should be kept.

Important: This site describes our current understanding of the General Data Protection Regulation (GDPR).

We are not lawyers, always seek specialist GDPR advice for your organisation.

About Redox Software

At Redox we specialise in producing bespoke software written especially for your business. We can write you a system that can be used on your computer, via the web or on your tablet/phone – or any combination of those - either now or in the future.

Latest Redox Posts


Our Contact Details

The Colin Sanders Innovation Centre
Mewburn Road, Banbury
Oxfordshire. OX16 9PA

+44 (0)1295 817646