Speaker 1: So what are GDPR's seven principles and how do they drive your compliance? We'll tell you in just a minute per principle. And you do need to know because breach of the principles leads to the highest fine under GDPR, 4% of your global turnover or 20 million euros or 17.5 million pounds depending on your GDPR, whichever is higher, that's the maximum fine. So stick with us and also for the bonus tip on creating your privacy framework. Hi, I'm Robert Boer, the founder and CEO of Keepable, the award-winning privacy solution saving you time, money and stress on GDPR, giving you great insights for the board and answers for customers. Do check us out on keepable.com. This video is part of Privacy Kitchen, free video help on GDPR and all things privacy. If you're new here, please do click subscribe and notify to hear about all of our fantastic new videos. As always, links are in the notes below and we'll just use GDPR for both EU and UK GDPR because they are identical on this point, at least for the moment, that's for another video. Right, grab a cup of coffee and let's crack on. Okay, so here are GPR seven principles. They're set out in article five of GDPR. Now articles for GDPR is like a section for other laws. So it's like saying section five, but let's not go there. Right, number one, lawful, fair and transparent. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Now, unsurprisingly, this is the lawfulness, fairness and transparency principle, but the focus has mostly been on lawful and transparent. Gives you a very good position on fairness. So people do often call this the lawfulness principle or transparency principle. Now, lawful includes identifying a legal basis for your processing. We've got videos on that. And there've been fines for not identifying one and for identifying the wrong one, like consent, legitimate interests, et cetera. And obviously this also includes otherwise complying with the law. Now, transparent includes providing all the information that GDPR says you've got to give individual data subjects about what you're doing with their personal data. None of this again is new. Most of GDPR was there before in the directive. Now, fairness is subjective, but it plays into the reasonable expectations of the individual. As the UK ICO states, this means you must not process the data in a way that's unduly detrimental, unexpected or misleading to the individuals concerned. Right, principle number two, purpose limitation. You should only collect personal data for specified, explicit and legitimate purposes and not process it in a manner that's incompatible with those purposes. This is the purpose limitation principle. It makes total sense. You can't tell people you're only gonna process their data to provide say software services to them and then suddenly sell them insurance. The key takeaway here, when you're creating your primacy notices for that transparency principle, make sure you cover the purposes for which you're processing a data. It's not easy to suddenly start processing for a new purpose if you haven't identified it upfront. There are some exceptions for research and statistics which aren't seen as incompatible. And this is one area that UK is looking at in its new August 2021 onwards review. And we'll see how that goes. Now, number three, data minimization. Personal data that you process must be adequate and relevant and limited to what's necessary in relation to the purposes for what you're processing. Data minimization means you don't collect more personal data than is necessary for your stated purpose. It's actually always been the case, as I said before, but GDPR's fines and increased awareness means it's clear you've got to be focused on only collecting what's necessary. And a good benefit, if you're selling this to other team members, having less personal data means there's less to protect against breach, less risk and less to search for a data subject request. Okay, accuracy. Personal data you process must be accurate and kept up to date where necessary. This is the accuracy principle. This also includes taking every reasonable step to ensure that any inaccurate personal data for those purposes are erased or rectified, corrected without delay. So this points to a couple of the data subject rights, the right to rectification or to correct incorrect data and one aspect of the right to erasure. Accuracy principles don't normally cause much issue. Now, storage limitation. This principle says that when you have personal data, you should only keep it in a form which permits identification of the data subjects, as in keep it as personal data for no longer than necessary for the purposes for which you're processing it, which you told in the transparency principle. This is the storage limitation principle. And again, there are some research and stats exemptions, but when you hear the word retention, this is what it relates to. Not keeping personal data for any longer than necessary for your specified purposes. Some retention periods are set out in law, like on tax and maternity, paternity records, for example, but mostly this is about a commercial decision, what's necessary and relevant for your purpose. But beware, regulators aren't going to accept infinity because you might use it someday. It's got to be reasonable. Now, another benefit as well, because you're having appropriate retention periods, you either delete or anonymize that data at the end, which means again, there's less attack surface for risk and breach and also less to search when you have a data subject request. However, retention is the area I believe presents the most difficulty in GDPR compliance programs and it's not just about GDPRs, any privacy. Okay, security. Now, of course, at all times, personal data must be secure and GDPR security principle requires that personal data is processed in a manner that ensures appropriate security to personal data, including against unauthorized or unlawful processing and accidental loss, destruction or damage. You've got to use appropriate technical and organizational measures for security. Why they call it integrity and confidentiality principle, I don't know, they should just say security. Everyone calls it the security principle. So security is fundamental to privacy, but it's only one of the seven principles. Most of GDPR is not about security. Look at our very polemic ISO 27001 is not GDPR video and see what we mean. Now, the seventh principle, accountability. If you're a controller, you're responsible for compliance with the other six principles and to be able to demonstrate compliance with those other six principles. This seventh principle is the accountability principle and it's the main change the principles brought in by GDPR. Now, although it's number seven, you've got to bake this in from the start. GDPR enshrined data protection by design by default into law and brought in various obligations on records. So this accountability principle means you have privacy governance in place, focused on GDPR and you're able to demonstrate that compliance to regulators, but also to the board, auditors, investors, customers and partners. And now for our bonus tip, fantastic. If you're looking to create privacy governance to cover more than one jurisdiction, it's a good thing to make it principles based and then you can tailor it for each jurisdiction's particularities. Now, GDPR set the standard globally for data protection, copied to various degrees from California to India, from Brazil, Caribbean and China. And it's not surprising, the seven principles in GDPR are actually all from the Council of Europe's Convention 108 from 1981. That was the first legally binding international instrument on data protection, 55 signatures, including all the EA, the UK, Turkey, Russia, and it contains all of these principles. Right, so there we go. You now know what the seven principles are of GDPR. You know how they drive your compliance and how they can underpin a global program. Please do look at our other Privacy Kitchen videos. I mentioned the 27,001 video. We've got a 27,701, what is GDPR? 10 steps to GDPR compliance, also very popular. Do visit us at keepable.com, take a demo and please do use hashtag privacy kitchen to tell us the topics you want us to cover. So stay well in the meantime and we'll see you soon in Privacy Kitchen. Did this video make the topic easy for you? Well, that's what Keepable software is all about. Making GDPR compliance a breeze, instantly creating the insights you need to prove your compliance to the board and customers alike. Why not see for yourself by booking your demo at keepable.com and while you're there with a whole host of content on our blog, including real life customer stories, insightful posts and useful downloads. Hit the link in the video description or visit us at keepable.com. Looking forward to speaking with you soon.