What are the 7 principles of GDPR storage limitation?

by
What are the 7 principles of GDPR storage limitation

The General Data Protection Regulation (GDPR) is a European regulation that aims to strengthen data protection for individuals within the European Union (EU). One of the key principles of GDPR is the storage limitation principle, which requires organizations to limit how long they retain and store personal data. This principle states that personal data should only be kept for as long as necessary to fulfill the specified purpose for collecting and processing that data initially.

The storage limitation principle sets limits on data retention and ensures that organizations do not hold onto personal data indefinitely without reason. This article will provide an overview of the 7 core principles of GDPR storage limitation.

Principle 1: Time Limitation

The first principle of GDPR storage limitation is time limitation. Under this principle, personal data can only be stored for as long as necessary to fulfill the purposes for which it was collected (ICO, n.d.). Once those purposes have been fulfilled, the data should be deleted.

For example, if a company collects customer data for an online purchase, they should only store that data for as long as needed to fulfill the purchase order and any related activities like returns or warranties. They cannot hold onto the data indefinitely “just in case” it might be useful later (European Commission, n.d.). Once the transaction is complete and legally required retention periods have passed, the data should be deleted.

Principle 2: Purpose Limitation

The GDPR’s purpose limitation principle states that personal data should only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In other words, organizations can only use the personal data for the specific purpose for which it was originally collected and must specify this purpose at the time of collection (see source).

For example, if a company collects customer email addresses for marketing purposes, they cannot then use those email addresses for employment recruiting purposes. The emails were collected for marketing, so they can only be used for that original specified purpose.

If an organization wants to use personal data for another purpose, they must inform the individuals and get their consent again for the new processing (see source). Failing to adhere to purpose limitation is considered unlawful processing under the GDPR.

Principle 3: Data Minimization

Data minimization under the GDPR means that organizations should only collect and store the minimum amount of personal data necessary to fulfill the specified purpose. According to the ICO, personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

In practice, this means organizations should carefully evaluate the types of personal data being collected and retained. Any unnecessary or excessive data beyond what is required for the intended processing should be removed. The GDPR emphasizes that data minimization helps reduce risks to individuals’ privacy and minimize the impacts in the event of a data breach.

Some examples of implementing data minimization could include deleting old customer records that are no longer needed, anonymizing data where possible, and collecting only essential user information for online forms and services. Overall, the principle stresses that organizations should actively minimize personal data collection and retention.

Principle 4: Accuracy

The GDPR’s principle of accuracy requires that personal data is kept accurate and up-to-date. Controllers must take reasonable steps to ensure the accuracy of data by implementing appropriate procedures and processes.

Data that is inaccurate or out of date should be erased or rectified without delay. The GDPR states that “every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”

To comply with this principle, organizations should:

  • Regularly review the accuracy of personal data and implement processes to keep it up-to-date.
  • Provide individuals with self-service portals to review and update their information.
  • Enable individuals to flag records they believe are inaccurate.
  • Investigate and validate reported inaccuracies, correcting or erasing inaccurate data.

Keeping personal data accurate and current is key to complying with the GDPR’s accuracy principle and respecting individuals’ rights. Failing to erase or rectify inaccurate data in a timely manner can result in violations and penalties.

Principle 5: Integrity and Confidentiality

The fifth principle of GDPR storage limitation is integrity and confidentiality. This principle states that personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Companies must use appropriate technical and organizational measures to ensure the integrity and confidentiality of personal data. This includes implementing data security technologies like encryption and access controls to prevent unauthorized access or modification of data.

For example, access to sensitive customer data should only be granted to employees who need it to perform their job duties. Companies should also regularly test and audit their security systems to identify and address any vulnerabilities.

Overall, the integrity and confidentiality principle requires organizations to implement robust cybersecurity programs and processes that securely store personal data and prevent breaches of sensitive information (Source: https://www.onetrust.com/blog/gdpr-principles/). Maintaining data security is essential for compliance with GDPR and protecting individual privacy rights.

Principle 6: Accountability

The accountability principle places the responsibility on the controller to comply with the principles and states they must be able to demonstrate compliance. The GDPR requires that controllers implement appropriate technical and organizational measures to ensure and be able to demonstrate that all data processing activities comply with the regulation (GDPR Article 5, Section 2) https://gdpr-info.eu/art-5-gdpr/.

This means controllers must maintain documentation of all data processing activities and implement data protection policies, such as appointing a Data Protection Officer (DPO). They must also implement measures that meet the principles of data protection by design and default, such as pseudonymization and encryption. Records must also be maintained of consent given by data subjects. Overall, the accountability principle requires controllers to take responsibility for complying with GDPR and be able to demonstrate compliance through policies, documentation and implementation of appropriate measures.

Principle 7: Transparency

The transparency principle states that data subjects should be informed about how their personal data is being processed. This includes details about:

  • The identity and contact details of the data controller
  • The purposes and legal basis for processing the data
  • The recipients or categories of recipients of the personal data
  • The retention period or criteria used to determine the retention period
  • The existence of data subject rights such as access, rectification, erasure, restriction of processing, objection to processing, and data portability
  • The right to lodge a complaint with the supervisory authority

Controllers must provide this information to data subjects at the time the data is obtained. The information must be concise, transparent, intelligible, easily accessible, and written in clear and plain language. This enables data subjects to understand how their data is being used and for what purposes (GDPR-INFO, n.d.).

Being transparent about storage details and retention periods demonstrates accountability and gives data subjects more control over their personal data. It also builds trust between organizations and individuals.

Conclusion

In summary, the 7 principles of GDPR storage limitation are crucial for managing personal data ethically, legally, and securely. By adhering to time and purpose limitations, minimizing data, ensuring accuracy and integrity, creating accountability, and enabling transparency, organizations can better comply with GDPR while respecting individuals’ privacy. Proper data retention, protection, and disposal are key to avoiding data breaches, misuse, and other risks. Ultimately, storage limitation principles aim to give people more control over their information by limiting how long and for what purposes it can be kept. Following these vital principles demonstrates an organization’s commitment to responsible data practices.

References

[1] European Union. “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).” Official Journal of the European Union L119 (2016): 1-88.

[2] Information Commissioner’s Office. “Principle (b): Purpose Limitation.” Accessed [date]. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/purpose-limitation/.

[3] European Data Protection Board. “Guidelines 4/2019 on Article 25 Data Protection by Design and by Default.” Version 2.0 Adopted on 20 October 2020. https://edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_20200420_dataprotection_by_design_and_by_default.pdf.

[4] Information Commissioner’s Office. “Principle (c): Data minimisation.” Accessed [date]. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/data-minimisation/.

[5] European Data Protection Board. “Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation.” Version 2.0 Adopted on 7 November 2019. https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201801_v2.0_on_certification_and_identifying_certification_criteria_en.pdf.

[6] Information Commissioner’s Office. “Principle (d): Accuracy.” Accessed [date]. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/accuracy/.

[7] European Data Protection Board. “Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679.” Version 2.0 Adopted on 4 June 2019. https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201901_v2.0_on_code_of_conduct_en.pdf.

[8] Information Commissioner’s Office. “Principle (f): Integrity and confidentiality.” Accessed [date]. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/integrity-and-confidentiality/.

[9] European Data Protection Board. “Guidelines on transparency under Regulation 2016/679 (wp260rev.01).” Version 2.1 Adopted on 11 April 2018. https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_on_transparency_revised_public_consultation_version_en.pdf.

[10] Information Commissioner’s Office. “Accountability and governance.” Accessed [date]. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/.