Lesson 3The importance of privacy in project management
- Notion 15 - Why does privacy matter for project management?
- Notion 16 - What is considered user personal data?
- Notion 17 - Privacy legislation in the EU
- Notion 18 - Data protection principles
- Notion 19 - The legal ramifications of violating privacy
- Notion 20 - Privacy by Design: matching design with privacy needs
- Notion 21 - Consent is the magic word
- Notion 22 - The role of the project manager in ensuring privacy
- Notion 23 - Conducting a Privacy Impact Assessment
- Notion 24 - How can data protection lead to more sustainable project management?
- Notion 25 - Quiz
Notion 18
Data protection principles
Target skills
Article 5 of the General Data Protection Regulation (GDPR) sets out key principles for data protection. It influences other rules and obligations found throughout the legislation in all EU countries. Each principle will be developped in the next lesson, but here are short presentations:
Lawfulness, fairness, and transparency
Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.
Purpose Limitation
Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.
Data Minimisation
Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum (see also the principle of “Storage Limitation” below).
Accuracy
Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and the source of that information.
Storage Limitation
Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Integrity and Confidentiality
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
The controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance.