GDPR : 7 principles to follow when treating personal data

February 20, 2019
February 20, 2019
20 February 2019

In December 2018, Matthieu Blanc – Ex – VP Product for Zeenea – asked himself: “How will the GDPR change the Big Data world?” In this series of articles, we focus on the legal aspects explained during his conference at XebiCon’17.


Personal data treatment must obey these 7 principles:


1) The principal of lawfulness, loyalty and transparency

The law imposes that data must be collected and treated in a loyal and lawful manner, implicitly dictating to the person in charge of the treatment that they must be transparent to the person concerned.

Let’s go a bit deeper:


  • The law guarantees to the people that submit their data the necessary information relative to the treatments concerning them.
  • It assures the possibility of personal control.
  • The person in charge of personal data is obligated to warn the people concerned as soon as the data is collected and when the data is transmitted to third parties.

2) The principal of purpose

All personal data that is collected and treated must be for legitimate purposes, corresponding to the person in charge or the enterprise’s missions. The misuse of these data is punishable by criminal law. 

3) The principal of proportion

The regulation demands that data must be collected for specific treatment and must be clearly defined.

For example : in the case of a marketing operation where the last name, first name and email address are sufficient for the intended treatment, the collection of street address, family situation, financial situation, etc., will be judged out of proportion thus, punishable by law.


4) The principle of relevant data

In other words, enterprises must ensure that the data is exact and up to date if necessary.


5) The principle of limited access and conservation of data

This information cannot be kept for an unlimited period of time in the enterprise’s information systems. A time limit must be established for each file. When that limit has passed, the data must be deleted or kept anonymous.


6) The principal of security and confidentiality

The regulation reinforces security measures. Enterprises are responsable for the data they treat’s security and must implement the adequate measures to guarantee it (pseudonymization of data, impact analysis, intrusion tests, etc.).

This means that the person responsable for their treatment is constrained to these security measures. They must implement these to: 

  • Guarantee their data’s confidentiality and avoid their disclosure. In other words, the person in charge must assure that any third parties that do not have authorization to their data can’t have access.
  • Prevent data from being distorted or damaged.
  • Etc.

This responsibility is put forward by a new principle “Privacy By Design”. This principle refers to the process of taking all the necessary steps to protect the rights of the people (ie from the design of a product or service) and throughout the data’s lifecycle (from collection to deletion).

Security measures, both physical and logical, must be taken.

For example: fire protection, backup copies, the installation of anti-virus softwares, frequent change of passwords, etc.). Security measures should be appropriate to the nature of the data and the risks presented by the treatment.


7) The principal of responsibility

One of the most major changes is the principle of responsibility. This principle obligates enterprises to document all measures and procedures in terms of personal data security.

This documentation serves as proof of conformity to the new rules and regulations if ever an enterprise were to have administrative checks. This measure results in the obligation to maintain a register of treatments. Indeed, this register makes it possible to constitute a database for the treatments, but could also serve to centralize and to follow all the steps of conformity implemented by the company.
The abolition of the obligation of  declaration prior to the CNIL. This measure reflects the principle that governs the GDPR: empowering businesses by developing self-control.

It is no longer up to regulators to prove that you are in the wrong, but it is up to you to prove that you are in the right!

zeenea logo

At Zeenea, we work hard to create a data fluent world by providing our customers with the tools and services that allow enterprises to be data driven.

zeenea logo

Chez Zeenea, notre objectif est de créer un monde “data fluent” en proposant à nos clients une plateforme et des services permettant aux entreprises de devenir data-driven.

zeenea logo

Das Ziel von Zeenea ist es, unsere Kunden "data-fluent" zu machen, indem wir ihnen eine Plattform und Dienstleistungen bieten, die ihnen datengetriebenes Arbeiten ermöglichen.

Related posts

Articles similaires

Ähnliche Artikel

Be(come) data fluent

Read the latest trends on big data, data cataloging, data governance and more on Zeenea’s data blog.

Join our community by signing up to our newsletter!

Devenez Data Fluent

Découvrez les dernières tendances en matière de big data, data management, de gouvernance des données et plus encore sur le blog de Zeenea.

Rejoignez notre communauté en vous inscrivant à notre newsletter !

Werden Sie Data Fluent

Entdecken Sie die neuesten Trends rund um die Themen Big Data, Datenmanagement, Data Governance und vieles mehr im Zeenea-Blog.

Melden Sie sich zu unserem Newsletter an und werden Sie Teil unserer Community!

Let's get started
Make data meaningful & discoverable for your teams
Learn more >

Los geht’s!

Geben Sie Ihren Daten einen Sinn

Mehr erfahren >

Soc 2 Type 2
Iso 27001
© 2024 Zeenea - All Rights Reserved
Soc 2 Type 2
Iso 27001
© 2024 Zeenea - All Rights Reserved
Démarrez maintenant
Donnez du sens à votre patrimoine de données
En savoir plus
Soc 2 Type 2
Iso 27001
© 2024 Zeenea - Tous droits réservés.