What is the GDPR Data Accuracy Principle?
Defined in Article 5(1)(f) of the General Data Protection Regulation (GDPR), integrity and confidentiality is the sixth principle related to the processing of personal data.
Data Accuracy Summary
- Organizations must take necessary and reasonable steps to ensure the accuracy of personal data collected from data subjects
- Organizations must identify essential steps, depending on the purpose of processing, to erase or rectify inaccurate data without delay
- Closely related to data subjects’ rights to rectification
- Data standard principle, similar to standard principles of data minimization and storage limitation
- Highlights clear differences between personal data and historical data. Personal data may change, but should not adversely affect historical data in use
What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?
The GDPR accuracy principle is similar to the fourth principle of the 1998 Data Protection Act, with only a few differences between the two.
The GDPR explicitly specifies that erasure or rectification of inaccurate personal data is to be processed without delay; this is implied within the 1998 Data Protection Act. The 1998 Act explicitly mentions incomplete data when discussing steps to ensure accuracy which is not included in the GDPR but is implied by its current language.
The only main difference between the two is the inclusion within the 1998 Data Protection Act defining what ‘inaccurate’ means. The 1998 Act defines ‘inaccurate’ data as “incorrect or misleading as to any matter of fact”; availability of such definition is not present in the GDPR.
Business Considerations for Organizations to Understand
How do you handle records caused by your organization’s mistake?
Sometimes records are created by mistake, causing inaccuracies in the data. However, there are certain cases, in which such mistakes may be kept, without rectification, often to track a trail of events. An example of such a scenario could involve the ordering of goods, resulting in the organization delivering the wrong product. Although the seller would likely resolve the problem, it may be necessary to keep a record of the wrong item shipped without rectifying the data, so that, if needed in case data subjects make subsequent inquiries, business owners can go back and analyze the chain of events.
What to do if a data subject challenges the accuracy of their personal data?
If a data subject challenges the accuracy of their personal data, the organization should first verify the accuracy of the claim. If valid, the organization should either delete or correct an inaccuracy. Following the GDPR, individual data subjects pose the right to have incorrect data rectified.
However, individuals do not have the right to erasure for reasons of inaccuracy. Under the accuracy principle, organizations are required to take all reasonable steps to ensure the accuracy of personal data without delay. So, although not required, organizations should consider the option of erasure when complying with this principle, especially if it presents the more reasonable option for rectifying promptly.