Skip to content ↓ | Skip to navigation ↓

Otherwise known as the measuring stick by which your GDPR compliance will be assessed, the six core principles of the GDPR are the basic foundations upon which the regulation was constructed.

Unquestionable and pure in nature, they are rarely acknowledged for one simple reason: five of the six have no real application in helping you in peddling products and solutions.

Thou Shalt GDPR

Buried in the 88 pages of the GDPR under Chapter Two Article Five, the biblically-styled principles are set out in less dramatic fashion than they possibly deserve.

1. Personal information shall be processed lawfully, fairly and in a transparent manner

Jargon deciphered, principle one specifically nods toward the concept of clear consent. In any situation where personal information is collected, it should have the demonstrable consent of the data subject. Opt-in tick boxes are still permitted, but the regulation explicitly prohibits consent by non-action or opt-out boxes. The death of those confusing subscription choices at the bottom of forms is on the horizon.

2. Personal information shall be collected for specified, explicit and legitimate purposes

Where personal information is collected, it must be communicated to the data subject the purpose for its collection and subsequent processing. Organisations are going to need to become much clearer with data subjects about what their personal information is going to be used for.

3. Personal information shall be adequate, relevant, and limited to what is necessary

When collecting personal information, the data controller must only collect personal information that is absolutely required for the specified purpose. For example, if collecting personal information to send a magazine subscription, there is no basis for the requirement of my date of birth.

4. Personal information shall be accurate and, where necessary, kept up-to-date

It is now the obligation of the data controller to ensure – to the best of their abilities – that the information collected is correct. This may seem difficult and even trivial; however, what the regulation is trying to address are situations where processing incorrect personal information may cause distress or harm to data subjects.

5. Personal information shall be retained only for as long as necessary

Marketing teams wince at this principle as though it is the sourest of grapes on the vine. All personal information must now have an expiration date applied appropriate to its collected purpose. Indefinite retention is unlikely to ever entertain the patience of the supervisory authority.

6. Personal information shall be processed in an appropriate manner to maintain security

The principle that has attracted much focus, for it requires data controllers and processors to ensure that their systems maintain the confidentiality, integrity and availability of data processing systems.

21st Century Snake Oil

The GDPR was designed to deliberately shy away from mandating the need for technological solutions. It accepts and even advocates that in most cases organisational controls provide sufficient protection. For example, the modification of existing online web forms creates a policy for the deletion of expired personal information or privilege access management to ensure the confidentiality and integrity of processing systems.

Focusing on just one principle by way of seeking to sell solutions does an injustice to the purpose and spirit of the regulation as a whole.

The GDPR is not really supposed to create a feeding-frenzy of solution purchases, nor is it there to induce stress through budget-busting administrative fines if you don’t buy solutions. The six core principles show us that it is simply to ensure that the personal information and attributes of people, like you and I, are afforded the care and protection they deserve and we expect.

Albert Einstein once said, “Any fool can know; the point is to understand.” So, put your wallet away; it’s probably not required.

 

Chris PayneAbout the Author: Chris Payne is Senior Technical Consultant at Infinigate UK. With 9 years of experience working in IT security, Chris has a wealth of knowledge around information security and holds a GDPR certification under IBITG. In addition to this, he has worked on some of Infinigate’s largest deployment projects and regularly appears as a guest contributor to IT security related blogs, whitepapers and articles. You can follow Chris on LinkedIn and Twitter.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

SANS White Paper: Security Basics
  • Niko Bel

    Re 1. “In any situation where personal information is collected, it should have the demonstrable consent of the data subject”.
    This is incorrect; the overhyped ‘explicit consent’ clause (GDPR 6(1)(a)) is only one of the 6 legal bases stated in the GDPR and, contrary to popular belief, it is not likely to be appropriate in very many situations. The other 5 are:

    6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
    6(1)(c) – Processing is necessary for compliance with a legal obligation
    6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
    6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (according to the ICO ‘Consultation GDPR Consent Guidance’, 02.03.2017 […] in case you are a UK public body this is likely to give you a lawful basis for many if not all of your activities)
    6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

    GDPR 9(2)(a) thru 9(2)(j) lists 10 more ‘Conditions for special categories of data’ where consent may not apply (healthcare and law practices, employment, membership of political, philosophical, religious organizations and trade unions, public health, scientific or historical research, statistics, etc.).
    Requesting consent where another legal ground is more appropriate is even considered misleading.
    See also: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider/

<!-- -->