We don’t like being watched. That discomfort is equally true online. We expect people and platforms to respect our privacy.
We don’t like being watched. Whether it’s reading aloud to an audience, writing with someone over our shoulder, or making unexpected eye contact, there’s an unease that comes with unwelcome attention. That discomfort is equally true online. We expect people and platforms to respect our privacy and we know all too well how awkward and outraging it can be when a brand oversteps that boundary.
In 1998, the United Kingdom initiated the Data Protection Act 1998. While this legislature wasn’t the first federal effort to protect the personal data of a country’s citizens, the Data Protection Act is often recognized for its focus on positive consent—the idea that individuals should agree to how companies collect, store, and apply their data. The Data Protection Act established the need for positive, active consent through basic data principles, principles that would eventually shape the European Union’s General Data Protection Regulation, or GDPR.
These seven data privacy principles don’t just stand for a governing body and its people; they represent the spirit of data responsibility and respect that individuals ought to demand of their platforms and providers. At their core, they emphasize that personal data collection must be transparent, consensual, and intentional. The principles create the foundation of data privacy in a digital-first community and can help every one of us better understand just how high a bar we ought to set for the companies that handle our personal data.
Now, with that said. Personal data shall be:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy (holding)
- Storage limitation
- Integrity and confidentiality (security)
Principle 1: Lawfulness, fairness, and transparency “Processed lawfully, fairly and in a transparent manner in relation to individuals”
Principle 1 looks at how companies collect personal data and sets a clear expectation that those collection methods must operate legally, with clear privacy policies and purposes. Brands must articulate why they want your personal data and how they intend to use it. To take it a step further, data collectors cannot use your data against you. Companies shouldn’t, for example, track your web habits without your permission, then leverage that knowledge to compel you to purchase their service.
For consumers, this leads to a basic digital right: the right to choose what data you share and how it is used. Many organizations may try to skirt this principle through intentionally dense terms of service and privacy policies. Still, that right to selection treats people like intelligent, responsible, and unique humans, and not as data farms.
Principle 2: Purpose limitation “Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…”
Companies have to use your data in the way that they promised to apply it. While there is an exception here regarding archiving, scientific, historical, or statistical purposes, Principle 2 emphasizes the purpose of any data collection must be specific, clear, and limited to a relevant scope. For example, private data can’t be collected for research purposes and then turned to the marketing team for outreach.
Principle 2 ties back to our concept of positive consent—when we agree to let our data be collected, we agree to its use in specific ways. This principle helps ensure that companies cannot repurpose our data in any way beyond the terms of that agreement and that our privacy remains intact.
Principle 3: Data minimization “Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
Similar to our first principle, Principle 3 ensures that brands only collect data relevant to the task at hand. Essentially, companies can’t hoard data just because they think they might want to use it later. For example, a company might request your name, email address, and industry to help qualify you as a potential lead for their project, but asking for a home address, mother’s maiden name, and the name of your favorite pet growing up can be a clear violation of privacy.
This principle doubles as a way to help contain exposure and personal damage in the event the company’s data is compromised. If companies keep minimal personal data records, bad actors can only steal minimal personal data.
Principle 4: Accuracy (holding) “Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
Companies can’t just sit on their data. The value of a data set is in its accuracy. Whether that data needs an updated personal address for a snail mail campaign or an accurate evaluation of community real estate prices, when old data is applied to immediate circumstances, it rarely ends well. Principle 4 ensures that collectors maintain their data and take reasonable action to erase or rectify inaccurate or incomplete information.
Principle 5: Storage limitation “Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
Companies shouldn’t just keep your data for as long as they want. Instead, personal data should only be stored as long as needed and then either deleted or anonymized once it has served its purpose. With that said, “as long as needed” tends to be a bit ambiguous between industries and could just as easily be defined as after the transaction ends as it could be the entire lifetime value of the customer.
Principle 5 ensures that collectors don’t retain personal data or reuse personal data beyond its original stated purpose. Like Principle 2, Principle 5 is exempt for historical, statistical, scientific, or archival purposes.
Principle 6 Integrity and confidentiality (security) “Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
For the same reason banks keep vaults, data collectors have an obligation to protect the data they collect. This protection model works in two areas—security and redundancy. Companies need systems in place to ensure the cybersecurity of their data—bad actors shouldn’t be able to access trusted personal data. Likewise, organizations ought to have backups in place if one storage system is compromised.
Principle 7: Accountability “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1.”
The seventh principle essentially doubles down on the organizational responsibility to adhere to these principles. Data collectors must show that they are taking reasonable action to meet the six previous principles because if a rule isn’t enforced, what value does it offer?
While these seven data privacy principles are specific to citizens of and organizations operating within the EU, they still carry a relevance and sense of human dignity that organizations ought to aspire to no matter their nation of origin. By setting a set expectation for what brands can and can’t do with our personal data, these principles create a more transparent and accessible world for individuals and organizations alike.
Inspired by these principles, the Invisibily Bill of Rights highlights the fundamental truths of personal data, including:
- Active Consent
As the data economy continues to grow, it is our hope that more and more individuals will join our cause and demand the same level of dedication from the platforms we use every day.