How to Establish Privacy Principles Within an Organization

Author: Ethan Heilig

Collecting, using, and deleting personal data has recently been the subject of increased political and social scrutiny. Data collection has been at the centre of everything, from congressional hearings to Netflix documentaries. One result of this increased scrutiny is that the E.U. enacted the General Data Protection Regulation (GDPR), which took effect in May of 2018. California has now passed a similar law, known as the California Consumer Privacy Act (CCPA), which will take effect on Jan. 1, 2020.

Both of these laws have significant implications for U.S. companies pertaining to the way data is collected, used, and deleted. This raises the question: how do the affected companies establish privacy principles within their organization to comply with these new regulations. While the CCPA does not enumerate principles for how companies should establish privacy practices, the GDPR outlines six privacy principles. These can be examined in greater detail in Article 5 of the GDPR.

First, data collection practices must be transparent, lawful, and fair. The lawful principle simply means that organizations must ensure their data collection process does not violate the law. Both the GDPR and the CCPA outline lawful ways to collect data in great detail. To be transparent and fair, organizations must inform users how and why their information is being used. In essence, organizations cannot hide data collection or mislead data subjects as to why their information is being collected.

The second principle is purpose limitation. Any potential use of data must be explicitly stated in an organization’s privacy agreement. This ties into the transparent and fair qualifications of the first principle. Data must be: “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” (GDPR, Article 5). Once its purpose has been served, data must be deleted.

The third principle is the data minimization. This principle refers to any data that can identify its data subjects. The use of identifiable personal data must be “adequate, relevant, and limited to what is necessary to the purposes for which they are processed” (GDPR, Article 5). In other words, identifiable personal data can only be used if it is essential to the processing purpose expressed in the privacy agreement. Though this principle is designed to ensure the privacy of data subjects, it also has benefits for the organization collecting the data. Besides streamlining the data collection process, this principle also benefits organizations by minimizing the potential harm that would occur in a data breach. (oneDPO’s PurposeGraph can help you with data minimization. Our AI-based automated privacy platform can help you minimize data faster and with less effort. Learn more.)

Accuracy is the fourth principle. Accuracy of data is an obvious imperative for organizations involved in data collection. The GDPR stipulates that every “reasonable step” must be taken to ensure personal data is accurate (GDPR, Article 5). If data becomes corrupted or is inaccurate, companies must erase or amend the data in question. Furthermore, individuals can request inaccurate data to be erased. This request must be honoured within 30 days.

The storage limitation principle deals with when data must be deleted. Simply put, personal data must be deleted when it is no longer necessary to complete the purpose enumerated in the privacy agreement. However, when exactly is data no longer necessary? The answer to this question will depend on both the industry an organization is in and what kind of data is being collected. The best way to ensure compliance with this principle is to be as explicit as possible in the privacy agreement.

The final principle outlined in the GDPR is integrity and confidentiality. This principle requires that an organization take the steps to ensure the data it has collected is secure. This principle is the most ambiguous of the six, but it is vague for good reason. Privacy and security technologies are ever-changing, so explicitly stating which process to use would be a waste of time. Companies should use the most efficacious technology available to ensure unauthorized individuals do not gain access to information.

Though the CCPA does not enumerate any principles, establishing internal privacy principles is essential for two reasons. First, the GDPR, though it only applies to EU residents, still applies to US companies interacting with European customers. Second, the increasing prevalence of personal data in the digital world means that regulation will likely only become more all-encompassing and stringent.