What is the fourth of the seven data processing principles outlined in GDPR?
The fourth principle of data processing is data accuracy.
Based on the principle of data accuracy, organizations must take reasonable steps to ensure that information they have on data subjects are accurate, keep the information up-to-date, correct any incorrect or misleading information on data subjects and consider the possible challenges of data accuracy when collecting data.
GDPR text on data accuracy
Article 5 of GDPR provides that personal data shall be:
“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”
What is the data accuracy principle?
The data accuracy principle is the notion that organizations should ensure they collect and process accurate information on a data subject.
Individuals have the right to demand that organizations correct inaccurate data on them or even delete that incomplete or inaccurate data.
As a result, for individuals to be able to exercise their right to rectification or right of erasure, organizations must take the necessary steps in keeping the data subject information accurate.
How to keep data accurate?
Companies must adopt policies and procedures designed to keep information on data subjects complete and accurate.
As such, to comply with this fourth GDPR principle, companies must take all the necessary and reasonable steps to ensure data are data subjects are accurate.
Organizations should validate that the source of the information on the data subject is clear.
Consider verifying the information they hold at a regular interval to ensure the data continues to remain accurate and up-to-date.
Companies must also evaluate any possible hurdles, obstacles or challenges they may face in maintaining the data collected accurately.
At what point is personal data considered inaccurate?
GDPR does not clearly define the boundaries between accurate data and inaccurate data.
It is left up to companies and organizations to evaluate the accuracy of the personal data they hold on individuals.
For example, if someone currently lives at a specific address and the company does not have the individual’s proper address, this is inaccurate data.
On the other hand, if the company has a record of the previous address of the data subject, although the person no longer lives there, the historical data is nonetheless correct.
Depending on how the company views the data, the accuracy can be established.
In our example, the same information about someone’s address was accurate in one instance and inaccurate in the other instance.
Do companies have an obligation to keep records of a mistake in data processing?
It often happens that organizations make good-faith mistakes in processing data for a customer.
For example, a customer purchases product A and it is recorded as product B.
In another instance, the customer buys a product for $100 but it’s recorded and charged at $400.
If there was a mistake in the records of the company, should that be corrected or deleted?
In most cases, companies have a legitimate interest in keeping a factual record of the mistake even though there was a mistake made.
Companies will generally keep that record and document the mistake so they can provide sufficient justification to their client, auditors or other stakeholders.
Keeping the record of the mistake is therefore acceptable and will not violate the data accuracy principle to the extent the records factually show the mistake.
The records kept by a company should factually reflect the mistake for historical purposes.
What measures should be taken to update personal data?
Companies should take reasonable efforts to ensure that the information they use and process on individuals remain up-to-date.
Having said that, do companies have the obligation to keep all personal data up-to-date all the time?
It will depend on the nature of your processing.
When you process personal data for a particular purpose, the information must be accurate and up-to-date so you can successfully achieve your purpose.
For example, if you need to ship goods and products to a person, you want to make sure you have the person’s correct shipping address.
If you got the person’s shipping address, do you need to re-engage with your clients to have them update their address?
In such instances, it’s reasonable to rely on the individual’s initiative to give you their latest address and periodically ask them if their address has changed.
If they do not request the update of their address, you can rely on the address they gave you.
If you are processing personal data on a regular basis, you’ll have more of an interest to keep that information up-to-date as you rely on that data often.
For more content on the GDPR principles, read our post titled What Are The 7 Principles of GDPR?