Accuracy

Accuracy is one of the core processing principles of the GDPR and is set out in Article 5(1)(d) GDPR. Under this principle, personal data must be accurate and, where necessary, kept up to date. Controllers must take every reasonable step to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay. The principle protects data subjects from adverse decisions being made on the basis of incorrect or outdated information.

The benchmark for accuracy is always the specific purpose of the processing: how current and precise the data must be depends on what it is used for. A one-off shipping address is held to a lower standard than creditworthiness or health data that drive ongoing decisions. The controller must therefore assess, on a risk-based basis, the intervals and methods used to validate, reconcile and update data sets. The obligation is both an obligation of result and of effort: it requires the outcome of 'accurate data' as well as evidence of appropriate organisational and technical measures taken to achieve it.

Accuracy is closely linked to the right to rectification under Article 16 GDPR, which gives the data subject an enforceable claim to have inaccurate data corrected and incomplete data completed. Added to this are the notification duty towards recipients under Article 19 GDPR and the overarching accountability principle under Article 5(2) GDPR, under which the controller must be able to demonstrate compliance with the principle. Infringements may be sanctioned under Article 83(5) GDPR with fines of up to EUR 20 million or 4 percent of total worldwide annual turnover, which is why accuracy should be a fixed component of any data protection governance.