Understanding the seven key data protection principles of GDPR

1. Lawfulness, fairness, and transparency

This means that a business must process personal data in accordance with applicable laws in a way that is fair and transparent towards individuals. Business must ensure that each processing activity is based on one of the six legal grounds foreseen in GDPR, such as consent, contractual necessity or legitimate interest. It also means that a business must handle data in a way individuals would expect and be open about how it collects and uses personal data, typically through publishing privacy notices.

2. Purpose limitation

Personal data must be collected and processed for specified, legitimate purposes and not used in ways that are incompatible with those purposes. Business should clearly define the reasons for personal data collection and cannot repurpose the data unless the additional purpose is compatible with the original one or the business has a valid legal basis to do so.

3. Data minimization

Business should collect only such personal data that is necessary, relevant and not excessive in relation to the purpose for which the data is processed. This principle encourages businesses to limit data collection to what is essential, reducing the potential for data breaches and ensuring stronger compliance with GDPR.

4. Accuracy

Personal data must be accurate and kept up to date. Inaccurate data should be corrected or deleted promptly to prevent errors that could impact both businesses and individuals. Regular data reviews and updates are crucial to maintaining accuracy.

5. Storage limitation

Personal data must not be retained indefinitely. It should only be retained for as long as necessary to fulfill the purpose for which it was collected. Personal data should have a defined retention period or clear guidelines for determining that period. Once its purpose is fulfilled, the data should be securely deleted or anonymized.

6. Integrity and confidentiality (Security)

Businesses must implement technical and organizational measures that are appropriate to the types of personal data being processed and the nature of the processing activities. These measures are essential for protecting personal data from unauthorized access, loss, or damage. This principle underscores the need for robust security practices, such as encryption and regular security audits, to safeguard data against both external and internal threats.

7. Accountability

The accountability principle requires business to take responsibility for GDPR compliance and to actively demonstrate it. This means that businesses must not only adhere to GDPR principles but also continuously implement measures to promote and safeguard data. This includes maintaining thorough documentation and records, conducting regular audits, and implementing data protection policies. By doing so, businesses can prove their commitment to protecting personal data and ensuring ongoing compliance with GDPR requirements.

Veriff’s support to customer’s compliance 

As a data processor, Veriff is committed to empowering our customers, the data controllers, in achieving compliance with GDPR principles. Here are some examples of key elements to understand about personal data processing and best practices followed by Veriff: 

• Privacy Notice: Veriff has published an informative Privacy Notice describing how Veriff handles personal data in the context of the service and to assist its customers in their transparency efforts. Please note however that Veriff’s Privacy Notice does not replace the controller’s obligation to publish their own transparency documentation to individuals as may be required under applicable laws. 
• Fixed and limited data retention: The term for holding personal data collected for service provision on behalf of customer is fixed in customer agreements and internal policies. If required or allowed by law, necessary for protecting against legal claims or contractually agreed with the customer, Veriff may retain the personal data for its own purposes for a pre-determined period. It is never kept indefinitely.
• Robust technical and organizational measures: Veriff applies encryption to data at rest and in transit. Further, our service is certified under ISO/IEC 27001:2022, SOC 2 Type II, and Cyber Essentials, ensuring the highest standards of data security. Learn more about our security practices from the Security and Compliance page and from Veriff’s Trust Center. 
• Privacy assessments and team: Our Product Legal and Privacy team collaborates with our data protection officer to perform data protection impact assessments, proactively identifying and addressing risks in our products and services. 
• Product GDPR audit: We conduct audits to ensure Veriff’s service complies with GDPR, demonstrating our commitment to accountability and maintaining high data protection standards. Download the audit summary here. 

In conclusion, by following these key GDPR principles, businesses can protect personal data, meet legal requirements, and build trust in customer relationships. In today’s privacy-conscious landscape, adhering to these principles is not just a legal obligation but a key business strategy that mitigates risks, fosters trust and enhances reputation.

Please note that Veriff does not provide legal advice. This article is provided for informational purposes only. You should always discuss your privacy and data protection operations or issues with a qualified legal counsel or privacy specialists.