The 6 GDPR Principles

GDPR can split into six principles as below:

• Principle 1: Lawfulness, fairness and transparency - This requires that data must be processed in a lawful, fair and transparent manner, i.e. when data is collected, it must be clear as to why it is being collected and how it will be used.
• Principle 2: Purpose limitations - This requires that data should be collected for specified, explicit and legitimate purposes and not processed for further, incompatible purposes.
• Principle 3: Data minimisation - This requires that data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
• Principle 4: Accuracy - This requires that data must be accurate and, where necessary, kept up to date. 
• Principle 5: Storage limitations - This requires that data must not be kept for longer that is necessary. 
• Principle 6: Integrity and confidentiality - This requires that data must be processed securely

Examples in practice

Scenario 1

You may collect personal data from patients as part of your day to day work, for example when they sign up to your pharmacy to have their prescriptions collected. You must ensure that you do not use this data for any other purposes such as direct marketing, without valid and explicit consent as this would breach principles 1 and 2.

Scenario 2

You may collect personal data as part of recruiting for a vacancy such as via an application form.  You must ensure that you limit the data collected to only what is relevant, for example it is not normal necessary to ask for sensitive personal information such as sexual orientation, religious and politic