Otherwise known as the measuring stick by which your GDPR compliance will be assessed, the six core principles of the GDPR are the basic foundations upon which the regulation was constructed.
Unquestionable and pure in nature, they are rarely acknowledged for one simple reason: five of the six have no real application in helping you in peddling products and solutions.
Thou Shalt GDPR
Buried in the 88 pages of the GDPR under Chapter Two Article Five, the biblically-styled principles are set out in less dramatic fashion than they possibly deserve.
1. Personal information shall be processed lawfully, fairly and in a transparent manner
Jargon deciphered, principle one specifically nods toward the concept of clear consent. In any situation where personal information is collected, it should have the demonstrable consent of the data subject. Opt-in tick boxes are still permitted, but the regulation explicitly prohibits consent by non-action or opt-out boxes. The death of those confusing subscription choices at the bottom of forms is on the horizon.
2. Personal information shall be collected for specified, explicit and legitimate purposes
Where personal information is collected, it must be communicated to the data subject the purpose for its collection and subsequent processing. Organisations are going to need to become much clearer with data subjects about what their personal information is going to be used for.
3. Personal information shall be adequate, relevant, and limited to what is necessary
When collecting personal information, the data controller must only collect personal information that is absolutely required for the specified purpose. For example, if collecting personal information to send a magazine subscription, there is no basis for the requirement of my date of birth.
4. Personal information shall be accurate and, where necessary, kept up-to-date
It is now the obligation of the data controller to ensure – to the best of their abilities – that the information collected is correct. This may seem difficult and even trivial; however, what the regulation is trying to address are situations where processing incorrect personal information may cause distress or harm to data subjects.
5. Personal information shall be retained only for as long as necessary
Marketing teams wince at this principle as though it is the sourest of grapes on the vine. All personal information must now have an expiration date applied appropriate to its collected purpose. Indefinite retention is unlikely to ever entertain the patience of the supervisory authority.
6. Personal information shall be processed in an appropriate manner to maintain security
The principle that has attracted much focus, for it requires data controllers and processors to ensure that their systems maintain the confidentiality, integrity and availability of data processing systems.
21st Century Snake Oil
The GDPR was designed to deliberately shy away from mandating the need for technological solutions. It accepts and even advocates that in most cases organisational controls provide sufficient protection. For example, the modification of existing online web forms creates a policy for the deletion of expired personal information or privilege access management to ensure the confidentiality and integrity of processing systems.
Focusing on just one principle by way of seeking to sell solutions does an injustice to the purpose and spirit of the regulation as a whole.
The GDPR is not really supposed to create a feeding-frenzy of solution purchases, nor is it there to induce stress through budget-busting administrative fines if you don’t buy solutions. The six core principles show us that it is simply to ensure that the personal information and attributes of people, like you and I, are afforded the care and protection they deserve and we expect.
Albert Einstein once said, “Any fool can know; the point is to understand.” So, put your wallet away; it’s probably not required.
About the Author: Chris Payne is Senior Technical Consultant at Infinigate UK. With 9 years of experience working in IT security, Chris has a wealth of knowledge around information security and holds a GDPR certification under IBITG. In addition to this, he has worked on some of Infinigate’s largest deployment projects and regularly appears as a guest contributor to IT security related blogs, whitepapers and articles. You can follow Chris on LinkedIn and Twitter.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.