The latest news, events and articles from ESPO, including case studies, editorials, blog posts and featured products.

What the seven principles of GDPR mean for your organisation

What the seven principles of GDPR mean for your organisation

Shredall SDS Group, a supplier on our Secure Shredding and Disposal framework (981) discusses what the seven principles of GDPR mean for your organisation.

The GDPR sets out seven principles for the lawful processing of personal data. Some examples of processing data include collection, organisation, storage, alteration, restriction, erasure or destruction of personal data. 

1. Lawfulness, fairness and transparency
The first principle emphasises transparency, when collecting the data, it must be made clear why the data is being collected and how the data will be used. The collection, processing and disclosure of data must all be done in accordance with the law. That includes data collection, data storing and data processing. 


2. Purpose limitation
Organisations must have a specific and legitimate reason for collecting and processing personal information. You must inform your clients about the purpose of the data collected and only use the data for those purposes. Under GDPR, clients must consent to the use of their personal data and must be able to easily withdraw consent whenever they want. 

3. Data Minimisation 
Under GDPR, data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” This means that organisations should only store the minimum amount of data required for their purpose. 

4. Accuracy
Personal data must be accurate and kept up to date. It’s important that old data is securely disposed of immediately. Keeping on top of your data is essential; regularly reviewing information held about individuals and delete or amend inaccurate information. 

5. Storage limitations 
Once you no longer need personal data for the purpose of which it was attained, it should be deleted or destroyed unless there is a reason for retaining it. A retention period would need to be set for all personal data you collect and a justification for the date set. 

6. Integrity and confidentiality 
The security of your data is paramount. Your organisation must ensure that all the appropriate measures are in place to secure the personal data you hold. This could be protection from internal threats such as unauthorised use, accidental loss or damage, as well as external threats such as phishing or theft.

Your organisation should consider working forwards gaining official certification, such as ISO 27001, to prove your commitment to cyber security. Data theft can occur both online and offline. Archiving your files off-site in a secure facility can be increase your security as opposed to leaving your files on-site in the office for anyone to access. 

7. Accountability
The final principle states that organisations must take responsibility for the data they hold and demonstrate compliance with the previous principles. This requires a thorough documentation of all policies that govern the collection and procession of data. To ensure compliance, organisations must be sure that every step within the GDPR strategy is auditable and can be complied as evidence efficiently.

To find out more about ESPO’s Secure Shredding and Disposal framework (981), including the suppliers listed, click here or contact our team on:    

t: 07880 063251