GDPR requires businesses:
- To collect, use, and store personal data to define a legal base, which the business will use to explain the use of its personal data.
- These could be, for example, that they have the consent of the person, or they collect them within the process of executing an agreement, or for the person’s vital interest, or that they are legally obliged to do so.
- Every piece of personal information possessed by a business must be justified in accordance with the following six principles:
- The data are processed justly, legally, and transparently.
- The data are collected for specific purposes.
- The data are stored just for the period required for processing.
- The data are accurate, and that it takes reasonable measures to ensure their accuracy.
- The data are stored safely and protected from illegal access, accidental loss or damage.
- The data collected are the least required and stored just for the period required for their processing.