The European General Data Protection Regulation (GDPR) outlines how we should work with privacy-sensitive data.
The GDPR outlines six data protection principles you must comply with when processing personal data. These principles relate to:
Lawfulness, fairness and transparency You must process personal data lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation You must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose.
Data minimisation You must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose.
Accuracy You must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month.
Storage limitation You must delete personal data when you no longer need it. The timescales in most cases aren’t set. They will depend on your business’ circumstances and the reasons why you collect this data.
Integrity and confidentiality You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.