The GDPR (General Data Protection Regulation) outlines six data protection principles that summarise its many requirements.
These are an essential resource for those trying to understand how to achieve compliance. Indeed, small organisations, which often lack the resources to appoint data protection experts to guide them through compliance, may find them particularly useful.
We take a look at each principle in this blog, and provide advice on how they should fit within your GDPR compliance practices.
1. Lawfulness, fairness and transparency
The first principle is relatively self-evident: organisations need to ensure their data collection practices don’t break the law and that they aren’t hiding anything from data subjects.
To remain lawful, you need to have a thorough understanding of the GDPR and its rules for data collection. To remain transparent with data subjects, you should state in your privacy policy the type of data you collect and the reason you’re collecting it.
2. Purpose limitation
Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
Processing that’s done for archiving purposes in the public interest or scientific, historical or statistical purposes is given more freedom.
3. Data minimisation
Organisations must only process the personal data that they need to achieve its processing purposes. Doing so has two major benefits.
First, in the event of a data breach, the unauthorised individual will only have access to a limited amount of data.
Second, data minimisation makes it easier to keep data accurate and up to date.

Find out more about GDPR compliance by downloading our free green paper.
General Data Protection Regulation – A Compliance Guide contains a comprehensive overview of your compliance requirements.
You’ll learn about the scope of the Regulation, gain more information on its key requirements and receive expert tips on how to bolster your security practices.
4. Accuracy
The accuracy of personal data is integral to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
5. Storage limitation
Similarly, organisations need to delete personal data when it’s no longer necessary.
How do you know when information is no longer necessary? According to marketing company Epsilon Abacus, organisations might argue that they “should be allowed to store the data for as long as the individual can be considered a customer.
So the question really is: For how long after completing a purchase can the individual be considered a customer?”
The answer to this will vary between industries and the reasons that data is collected. Any organisation that is uncertain how long it should keep personal data should consult a legal professional.
6. Integrity and confidentiality
This is the only principle that deals explicitly with security. The GDPR states that personal data must be
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
The GDPR is deliberately vague about what measures organisations should take, because technological and organisational best practices are constantly changing.
Currently, organisations should encrypt and/or pseudonymise personal data wherever possible, but they should also consider whatever other options are suitable.
The seventh principle
The GDPR includes an additional principle, accountability, which acts as an overarching set of requirements related to the other six.
By achieving accountability, organisations demonstrate that they have the necessary documentation to prove that they are meeting their compliance requirements.
This is typically done through a combination of technical measures and documentation such as:
- Controller–processor contracts;
- Relevant policies and procedures;
- Privacy notices;
- Staff training records;
- Security monitoring and event logging records;
- Data breach records; and
- Data protection impact assessments.
This isn’t an exhaustive list of the steps that organisations can take, but it covers the essentials.
Organisations should also consider appointing a DPO (data protection officer) or another formal data protection lead to demonstrate compliance.
You can also show your commitment to data security by achieving certification to recognised schemes such as ISO 27001, as well as annually validating compliance with the PCI DSS (Payment Card Industry Data Security Standard) and other contractual security requirements you may have.
Looking for more GDPR expertise?
If you want to know more about the GDPR and how to achieve and maintain compliance, take a look at our GDPR Toolkit.

Designed and developed by GDPR experts, the toolkit contains a complete set of template documents to demonstrate your compliance practices.
It’s ideal for anyone who wants help completing their documentation requirements quickly and easily – but it’s more than simply a set of templates. It also includes:
- Gap analysis and DPIA tools that help you identify compliance weaknesses and how to address them;
- Two licences for the GDPR Staff Awareness E-learning Course; and
- Guidance documents covering data subject consent forms, data retention records, and pseudonymisation, minimisation and encryption.
A version of this blog was originally published on 31 January 2018.
I’m finding it difficult to get an answer to my GDPR question and bearing in mind the complexity of the rules I guess that’s not so surprising! Perhaps you could give me your thoughts. A local UK town council has responsibility for the local cemetery and particularly a Wall of Remembrance there. I am one of he approx. 300 plaque owners on that wall and because of damage to the wall I personally would like to contact the other owners. The Council has a digital register of owners but has refused my request for a copy. My use of the register will be completely personal and in no way offering goods or services. I just want to inform my co-owners of the present state of the wall and get their opinions of the situation.
Do you think there is any way the Council can supply me with a copy of the register, legally and within the limits of GDPR?
Hi Peter
Without consent of the register of owners, then the Council are indeed following the correct process, you could place a notice for anybody to contact you concerning this matter. GDPR protects the rights of the individual.
Any breach of GDPR is serious & they could be fined for breach of Princples or Governance
Breach of the 6 Principles mean a fine can be imposed on Companies:
The ICO governs GDPR
Breach of Principles 4% of total global turnover or €20,000 whichever is the highest
Breach of Governance 2% of total global turnover or €10,000 whichever is the highest.
This is indeed a huge subject I spent a week on a course learning about GDPR & the above is just a summary in laymans terms, hope that helps.
Isn’t GDPR for living people only or does it cover dead people as well?
Further, assuming that GDPR covers the dead people as well, why would GDPR cover data that was already in possession of an individual but has lost it and it that individual is going to use it in non-commercial purpose.
Hi
The GDPR only applies to the personal data of living individuals – as per Recital 27 of the GDPR: “This Regulation does not apply to the personal data of deceased persons.”
Regardless of whether personal data has been lost or not, if it falls under the definition of personal data under the GDPR (Article 4(1)), then it is still within scope of the GDPR and must be protected accordingly.
I think we’ve been duped. If my data can be sold I should get paid. I keep reading weird disclaimer about how they don’t sell data. We deserve privacy in our business and lives not promises about things we never thought of by individuals who hide behind jargon.
I am considering making a request to South wales Police about information they hold on their system. The problem I see is this. I beleive they will refuse my request, as the information they hold is about animals which were inspected at my home by my local council. In other words the information currently retained by South wales Police is therefore about my animals, and not myself. So would they be within their rights, as I believe they may be, to refuse my request for access to the documents they hold on their system?
Hi Ian
This request actually doesn’t fall under GDPR as it only applies to living individuals and not the data of animals. Therefore, you cannot actually submit a data subject access request to the Police regarding this.
Isn’t GDPR for living people only or does it cover dead people as well?
Further, assuming that GDPR covers the dead people as well, why would GDPR cover data that was already in possession of an individual but has lost it and it that individual is going to use it in non-commercial purpose.
Hi
The GDPR only applies to the personal data of living individuals – as per Recital 27 of the GDPR: “This Regulation does not apply to the personal data of deceased persons.”
Regardless of whether personal data has been lost or not, if it falls under the definition of personal data under the GDPR (Article 4(1)), then it is still within scope of the GDPR and must be protected accordingly.
Hello
At my relative’s care home a couple of residents have tested positive for Covid and obviously kept isolated. The home is not prepared to tell other residents (who all go through the same testing regime) which residents have tested positive citing the GDPR rules. This lack of openness seems OTT and keeps residents in the dark about what is going on with their fellow residents when they suddenly disappear for two weeks.
What is your view?
I live in sheltered accomodation and having the same problem, do managers have to inform residents who has got covid, we have got 4 cases at the moment and only heard this through word of mouth
I am currently proceeding towards an employment tribunal hearing against my employer for unfair constructive dismissal. Ive been told I should make a data retrieval request to them most particularly emails, text messages and whatsapp messages that may concern me. I suspect they may aleady be clearing caches of emails. Is it legal for them to attempt to conceal their discussions about me by deleting or hiding data?
Thanks in advance.
I requested for DSAR in a company and some of my data were sent me, during the request. I did receive the DSAR but they are unable to provide me the original data which was still with Data protection commission investigation. But surprisingly during a WRC hearing a case discrimination case I discovered some vital data ment for data request were sent to me via email without my consent to the company. When I wrote the company the data protection officer replied me that the company has legal privilege
Hi, I am really delighted to glance at this website post which includes plenty of valuable information about gdpr analysis, thanks for providing such statistics. Thank you for sharing the wonderful article. Great post. I will be your regular visitor.
TYSM this helped a lot, i am easily confused by this subject and am not very good but this helped me