Main Principles of the GDPR
Any data that you collect or control must pass the following tests, else it must be deleted.
Processed lawfully, fairly and in a transparent manner in relation to individuals.
In simple terms, you need to be upfront with using an individual's data in a lawful manner and let individuals know how and why you intend to use their data.
Collected for specific, legitimate purposes and not further processed in a manner that is not in line with the specific purposes.
After showcasing transparency in how and why an individual’s data is used, you musn’t use the data for any other purposes.
Adequate, relevant and limited to the purpose for which the data is being collected.
You shouldn’t collect data that has no purpose. For instance, you needn’t collect information about height, age, religion, etc. if it has no connection to what your business deals with.
Accurate and up to date.
You must take every step to ensure that personal data that is inaccurate is rectified without delay.
Data is stored in a form which permits the identification of data subjects for no longer than it is necessary.
There are some exceptions to this, like where data is stored for the benefit of public interest.
Processed in a manner that ensures appropriate security of the personal data.
Data collected must always be protected against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate measures.
Grounds for processing data
Congratulations! If you’ve passed the first set of tests, you now need to establish grounds for being able to process an individual’s data. These must include one or more of the following: Consent, Performance of a contract, To comply with legal obligations, To protect the interests of the data subject or other people, To perform a task in the public interest, Legitimate Interest
Penalties for non-compliance
Now this is where things get serious. You can be fined up to 4% of your annual global turnover or € 20 Million for breaching the GDPR. This is the maximum penalty that can be imposed for serious violations such as, not having sufficient customer consent to process data. There is, however, a tiered approach to penalties. For instance, you may attract a 2% penalty for violations such as not conducting an impact assessment, or not notifying a supervising authority about a breach.