General Data Protection Regulation (GDPR) is a new EU law that regulates how the personal data of EU residents can be collected, used, and processed by businesses. Under GDPR individuals have rights of access, rectification, erasure, restriction, objection, right not to be subject to automated decision-making of their personal information.
What are the broad GDPR principles when it comes to processing personal data?
The GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
1. Lawfulness, fairness and transparency
HelpfulCrowd processes personal data in a lawfulness, fairness and transparent manner in relation to our data subjects.
We adhere to the following key principles:
- We have identified the basis of valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
- We ensure that we do not do anything with the data in breach of any other laws.
- We strive to only use personal data in a way that is fair. This means we do not not process data in a way that is unduly detrimental, unexpected or misleading to consumers or customers concerned.
- We strive to be clear, open and honest with consumers and customers from the start about how we will use your personal data.
2. Purpose limitation
HelpfulCrowd processes personal data on the GDPR principles of purpose limitation in relation to our data subjects.
- We strive to be clear about what our purposes are for processing from the start of our relationship.
- We only use personal data for a new purpose if it is either compatible with the original purpose, we obtain consent, or have a clear basis in law.
3. Data minimisation
HelpfulCrowd only holds and processes the minimum personal data that is required on the basis it is:
- adequate – sufficient to properly fulfil the stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – we do not hold more than you need for that purpose.
Storing and processing accurate data is important. HelpfulCrowd strives to only hold accurate personal data by:
- taking all reasonable steps to ensure the personal data we hold is not incorrect or misleading as to any matter of fact;
- striving to keep the personal data updated, depending on the basis of use;
- taking reasonable steps to correct or erase as soon as possible if it is discovered that personal data is incorrect or misleading;
- carefully considering any challenges to the accuracy of personal data.
5. Storage limitation
HelpfulCrowd has considered the period of time that personal data is stored and only keeps personal data for only as long as it needed based on the purpose of holding the data.
6. Integrity and confidentiality (security)
HelpfulCrowd processes personal data securely by means of appropriate technical and organisational measures based on circumstances and the risk of processing activities. It has, and will continue to do this by:
- undertaking risk analysis, organisational policies, and physical and technical measures;
- additional requirements and reviews of trusted partners and data processors.
- implementing pseudonymisation and encryption where appropriate;
- ensuring the confidentiality, integrity and availability of our systems and services and the personal data processed within them;
- facilitating the restoration access and availability of personal data in a timely manner in the event of a physical or technical incident;
- ensuring that appropriate processes in place to test the effectiveness of security measures, and closure of gaps and implementation of any required improvements.
HelpfulCrowd considers accountability with GDPR as one of the most important principles - compliance through demonstration.
We have, and will continue to implemented a number of different measures including:
- adopting and implementing data protection policies;
- taking a ‘data protection by design and default’ approach;
- executing written contracts (Data Processing Agreements) with trusted partners and organisations that process personal data on our behalf;
- maintaining documentation of our processing activities;
- implementing appropriate security measures;
- recording and, where necessary, reporting personal data breaches;
- carrying out data risk assessments and mitigation measures for uses of personal data that are likely to result in high risk to individuals’ interests.
We also recommend reading: