7 Core Principles for GDPR Data Protection

Javed Shah

With the EU becoming a major economic player, its rules and regulations are being felt around the business world.

What is GDPR? GDPR is a set of regulations specific to businesses in the EU governed by seven principles to protect individual data rights in a data-driven world.

What Is the General Data Protection Regulation (GDPR)?

GDPR is the governing data privacy and security standard in the European Union. Unlike many other standards outside of the EU, GDPR emphasizes the rights of individuals over their personal data and attempts to balance these rights against legitimate businesses interested in data collection and processing.

At the heart of GDPR exist several core ideas that inform every requirement. These include:

  • Data Ownership: Individuals from or inside the EU, known as “data subjects,” own their private data. As such, they have certain rights over that information, including the right to see all information an organization has from them, the right to correct errors in that data, and the right to demand the deletion of that data (the right to be forgotten).
  • Consent: Marketing isn’t a free-for-all in the EU. Any use of data for marketing purposes (collecting email addresses for a mailing list, using cookies to track behaviors, etc.) must come with an explicit consent given by the data subject.
  • Business Limitations: Businesses may only use data pursuant to the reasoning given for collecting that data. That is, businesses must disclose to data subjects the reason for collecting data to receive consent, and they may not process that information outside of that reasoning.
  • EU Locality: GDPR governs businesses and individuals inside and sometimes outside of the EU. Broadly, if a company collects or processes data in the EU, or collects or processes data from EU citizens (regardless of their current location), they must follow GDPR rules.

Thus GDPR is an expansive and rather strict set of laws that fundamentally shape how organizations do business within the EU.

What Are the Seven Principles of GDPR?

To expand on these broad ideals, the language of the law within GDPR will align with seven basic principles. These principles cover business operations, IT infrastructure, and interactions with individual data subjects. These principles are defined in Article 5 of GDPR.

The seven core principles of GDPR are:

  1. Lawfulness, Fairness, and Transparency: Article 5 of GDPR states that organizations must collect and process data legally and transparently. This means that they cannot break any laws, and their collection and processing operations must be open and transparent to regulating bodies and data subjects.
  2. Purpose Limitation: Organizations collecting information from data subjects must gain consent, and part of that consent is that the reasoning for collecting that data is made clear to the individual. Furthermore, the organization may not use that information for other business reasons–all data processing must be explicit, specific, and for legitimate purposes.
  3. Data Minimization: Organizations collecting information from data subjects may only gather the minimum data adequate and relevant to the stated purpose. Data retention should continually adhere to the minimum information required to perform the specified processing purpose. This excludes collecting data for future potential business purposes.
  4. Accuracy: Organizations must keep data up-to-date as much as possible. Furthermore, any requests from a data subject to change incorrect data must be fulfilled as soon as possible (within 30 days).
  5. Storage Limitation: Any data storage must maintain protections such that the exposure of private information is limited to a time frame no longer than necessary for the stated processing and business purposes. Additionally, once those purposes are completed, the organization must delete that information or justify governing GDPR bodies as to why retention is still necessary.
  6. Integrity and Confidentiality: All data storage and processing must be done with consideration of appropriate security and privacy measures, including protection against unauthorized disclosure, loss, destruction, or damage to integrity. Privacy measures must include proper encryption, authentication and authorization controls, and privacy practices.
  7. Accountability: Organizations must adhere to these principles, including demonstrating compliance.

There are benefits to complying with GDPR, but primarily any data-gathering and processing operations impacting individuals from or in the EU face mandatory compliance.

What Happens If I Don’t Meet These Requirements?

It’s not uncommon for large enterprise organizations to weigh the risks of security breaches against business needs and the costs of non-compliance–including fines and legal expenses. This typically isn’t the case for GDPR, where steep fines are the norm.

The penalties for non-compliance with the seven principles of GDPR include:

  • Tier 1 (Less Severe Infringements): Organizations that don’t adhere to the lawful basis of processing data, auditing organizations that don’t correctly certify organizations, and other general non-compliance will result in fines up to €10 million or 2% of the organization’s worldwide annual revenue from the previous year, whichever is greater.
  • Tier 2 (More Serious Infringements): Violations of processing or security principles, data subject rights, consent rights, or the transfer of EU data to third countries will result in fines up to €20 million or 4% of the organization’s worldwide annual revenue from the previous year, whichever is greater.

Stay Ahead of GDPR Security Requirements with 1Kosmos

One of the core principles of GDPR is maintaining the privacy and security of user information, and authentication and identity management are critical to that effort. With proper identity verification mechanisms in place, your company can hope to meet the rigorous requirements of GDPR.

1Kosmos makes adhering to these regulations simple and straightforward without compromising usability. With 1Kosmos BlockID, you can implement decentralized ID management with strong multi-factor authentication and easy user onboarding such that you meet whatever security requirements are needed.

With 1Kosmos, you get the following benefits:

  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
  • Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
  • Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture and the encrypted data is only accessible by the user.
  • Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
  • Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.

If you’re ready to learn about BlockID and how it can help you remain compliant and secure, read our eBook on how to Go Beyond Passwordless Solutions. Make sure you sign up for the 1Kosmos email newsletter for updates on products and events.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.