David Freeland
- Director
Insights | Data Protection
Data protection principles – International Data Protection Day 2025
28 January 2025
A new year often comes with resolutions to do better and achieve new goals in our personal and professional lives. Improving your business’s data protection compliance and ensuring that personal data is processed in a manner that is lawful doesn’t always make the list. However, as it’s been nearly 7 years since the GDPR came into force, now is a good time to see if all the effort put in then is still working for you as intended.
We may have missed 1st January, but 28th January is an even better time to start that work since it is Data Protection Day, marking the anniversary of the first international convention on protecting personal information.
What is data protection?
Data protection is a principles-based framework for the fair and responsible use of personal data about living individuals. It applies to all types of organisations when they hold or use personal data electronically or keep it in a manual filing system.
The UK General Data Protection Regulation (UK GDPR) is the UK’s data protection law for most organisations. It sets out those principles, as well as the rights people (called ‘data subjects’ in the legislation) have over their data.
What are the data protection principles?
The current principles are that personal information must be:
- Used lawfully, fairly and in a transparent manner
- Collected for specific, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary for your purposes
- Accurate and, where necessary, kept up to date
- Kept in an identifiable form for no longer than necessary for your purposes
- Secured against unauthorised or unlawful use, accidental damage, loss or destruction
Organisations (or ‘data controllers’) are also responsible for being able to demonstrate how they comply with the principles.
Turning principles into practice
It’s not always easy to know where to start with turning high-level principles into practical steps, but here are four suggestions to get you started.
- Play devil’s advocate. Take a form you use to gather information from customers. Challenge whether you have a good reason to collect and use every single piece of personal information on that form. If not, change the form to only collect the information that you genuinely need.
- Learn from your mistakes. Feedback and complaints provide valuable information about how fairly people think they have been treated. If you received any feedback or complaints last year about how you handled personal information, use these to inform changes so those issues don’t arise again.
- Start the spring clean. You should only keep personal information for as long as you need it. Is there a stack of old forms gathering dust at the back of a cupboard, or a folder on the shared drive that hasn’t been looked at in years? Bite the bullet and delete what’s no longer needed. “Just in case” is not a good reason!
- Build your defences. How well protected are you from cyber threats, and what would you do if you were the victim of an attack? All businesses and organisations are at risk of being targeted by cybercriminals. Tools like Cyber Essentials can help you check you have an appropriate level of security in place to protect your information, and a plan in place in case the worst does happen. This proactive approach is vital for securing sensitive information such as financial information, or perhaps information used in health and social care.
New legislation
The Data (Use and Access) Bill is currently being considered by the UK Parliament. It will amend current data protection law but won’t affect the main principles. We’ll be keeping a close eye on developments and advising clients what the changes mean for them.
How we can help
For further information on how we can assist your organisation with data protection compliance such as handling subject access requests or providing you with training, please get in touch with Douglas McLachlan, David Freeland or your usual Anderson Strathern contact.
You may also be interested in the following articles: