The most important principles of the data protection regulationThe page was last modified:
The data protection regulation contains a long list of rules and requirements for how personal data can be processed in an organisation. Despite that, these rules do not provide a lot of guidance on how you as a small business owner is permitted to process personal data relating to your customers, suppliers, employees and others.
However, the rules, reasons and other legal text in the regulation are all based on a few fundamental principles:
- Only collect and process personal data if it is permitted.
- Inform the people whose information you are collecting. It might for example involve information about customers, suppliers and employees.
- Decide in advance what the personal data will be used for and do not use the data for any other purpose.
- Do not collect more personal data than what is needed. Never collect personal data “because it might be useful”.
- Ensure that the personal data is correct and up to date.
- Delete personal data that is no longer needed.
- Protect the data from unauthorised use and unauthorised access.
- Document your intentions with regard to your processing of personal data.
If you want to further simplify these basic principles, these three points will get you quite far:
- Do not collect more personal data than what is needed and only collect it for a certain predetermined purpose.
- Do not save the data longer than what is needed.
- Protect the personal data that you are processing in your company.
The GDPR fundamental principles at the Swedish Authority for Privacy Protection (IMY)
Responsible: Swedish Agency for Economic and Regional Growth