Understanding GDPR data protection principles: a comprehensive guide

Tom Paxman
20th August 2024

The General Data Protection Regulation (GDPR) is a landmark privacy law designed to give individuals greater control over their personal data.

Since its inception in May 2018, the GDPR has introduced strict rules about how organisations access, store, and use personal data, such as phone numbers and medical history. These GDPR data protection principles apply to everyone, including employees, customers, contractors, and members of the public whose information you hold.

Although the GDPR originated as an EU directive, it has been retained in UK law post-Brexit under the Data Protection Act 2018. The GDPR strengthens the Data Protection Act 2018, building on core principles and enforcing robust penalties for those who fail to comply.

What are GDPR data protection principles?

The full GDPR legislation spans over 300 pages, but it revolves around two key premises:

1. Organisations must have a valid reason for collecting personal data.
2. Organisations must implement adequate security measures to protect against data breaches or misuse of personal information.

These principles are crucial for ensuring compliance and safeguarding personal data. To increase awareness of GDPR within your organisation, our UK GDPR Training course equips employees with a deep understanding of the implications of GDPR in the context of data security.

What is personal data under UK GDPR?

Under the General Data Protection Regulation (GDPR), personal data is categorised into two main types:

• Sensitive personal data.
• Non-sensitive personal data.

The distinction between these two types is crucial because it affects how the data must be handled and the level of protection required.

Sensitive personal data (also known as “special category data”)

This is a subset of personal data that is deemed more sensitive and therefore requires additional protection. Processing this type of data is more restricted because it has the potential to cause more significant harm or discrimination to the individual if mishandled.

Examples:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data (where used for identification purposes)
• Health information
• Information concerning a person’s sex life or sexual orientation.

The GDPR imposes stricter conditions on processing sensitive personal data. Organisations need to have a specific legal basis for processing this data, such as explicit consent from the individual, or other justifications provided by GDPR (for example, vital interests of the data subject, substantial public interest, or for legal claims).

Non-sensitive personal data

This refers to any information that can identify an individual directly or indirectly but does not fall into the special categories of data that are considered more sensitive.

Examples:

• Name
• Address
• Email address
• Phone number
• Date of birth
• IP address
• Employment details
• Financial information (like bank account numbers, as long as they don’t reveal sensitive information).

While this data still requires protection under GDPR, the rules are somewhat less stringent compared to sensitive personal data. Organisations must ensure that this data is processed lawfully, transparently, and for legitimate purposes.

What are the key differences between sensitive and non-sensitive personal data?

• Level of protection. Sensitive personal data requires a higher level of protection and more rigorous handling procedures compared to non-sensitive personal data.
• Legal basis for processing. Processing sensitive personal data requires a stronger legal basis (like explicit consent or substantial public interest), whereas non-sensitive personal data can often be processed under a broader range of legal bases.
• Impact of mishandling. Mishandling sensitive personal data could lead to more severe consequences, including significant harm to individuals or discrimination, and therefore, it is subject to stricter regulations under GDPR.

The distinction between sensitive and non-sensitive data lies in the potential harm that could result from mishandling the data.

How does GDPR affect organisations?

The GDPR requires organisations to comply with stringent data handling rules. For instance, when a website alerts users about the use of tracking cookies, it must obtain the user’s consent to ensure GDPR compliance.

The regulation also affects marketing activities, including data permission (customers confirming their wish to be contacted), data access (customers’ right to opt-out or unsubscribe), and data focus (collecting only relevant data).

Furthermore, customers can submit a subject access request (SAR) to see the personal data stored on them by an organisation. They have the right to request its deletion or amendment.

Two critical terms in understanding GDPR obligations are:

• Data controller. The data controller decides what data is collected, why it is collected, and how it should be processed. The data controller ensures that the organisation is GDPR compliant, including data accuracy and confidentiality. The controller is also responsible for notifying the Information Commissioner’s Office (ICO) in the event of a data breach.
• Data processor. The data processor collects, analyses, records, and documents the data as directed by the data controller.

Failure to comply with GDPR can lead to severe penalties. For instance, British Airways was fined £20 million in 2020 for a data breach. In cases of serious breaches, organisations can be fined up to 4% of their annual turnover or £17 million, whichever is higher.

What are the 7 principles of GDPR?

The GDPR incorporates seven principles that are the foundation of data protection:

1. Lawfulness, fairness, and transparency. Organisations must clearly communicate the reasons for data collection and how the data will be used, ensuring that all processes are transparent and compliant with GDPR.
2. Purpose limitation. Data must be collected for specific, legitimate purposes and not used for any other reason unless explicit consent is obtained from the individual.
3. Data minimisation. Organisations should only collect data that is necessary and relevant to the purpose for which it is processed, avoiding the collection of excessive information.
4. Accuracy. Organisations must ensure that the data they collect is accurate, up-to-date, and fit for purpose. Inaccurate or incomplete data must be rectified or deleted within 30 days upon request.
5. Storage limitation. Data should not be kept longer than necessary. Organisations must establish procedures for regular data reviews and ensure the secure deletion of data that is no longer required.
6. Integrity and confidentiality. Organisations are required to implement security measures to protect data from internal and external threats, including unauthorised access, loss, or damage.
7. Accountability. Organisations must take responsibility for the data they hold, demonstrating compliance with all GDPR principles. This includes providing GDPR training for employees and appointing a data protection officer.

UK GDPR training & awareness for employees

Ensure your organisation complies with data protection regulations with our UK GDPR Training and Awareness course.

The course provides employees and managers with an in depth understanding of GDPR data protection principles, promoting best practices in data handling and management.

Embedding core data protection principles into organisational culture helps to build trust with stakeholders, enhance reputation and prevent costly fines that can result from non-compliance.

Tom Paxman

Managing Director (Digital)

Tom is the Director of Services & Training at Praxis4. He has extensive experience in risk management and the eLearning industry. His area of focus is the digital side of the business where he looks after hundreds of thousands of individual training needs.