The GDPR: Understanding the 6 data protection principles

The GDPR (General Data Protection Regulation) outlines six data protection principles that summarise its many requirements.

These are an essential resources for those trying to understanding how to achieve compliance. Indeed, small organisations, which often lack the resources to appoint data protection experts to guide them through compliance, may find them particularly useful.

We take a look at each principle in this blog, and provide advice on how they should fit within your GDPR compliance practices.

1. Lawfulness, fairness and transparency

The first principle is relatively self-evident: organisations need to make sure their data collection practices don’t break the law and that they aren’t hiding anything from data subjects.

To remain lawful, you need to have a thorough understanding of the GDPR and its rules for data collection. To remain transparent with data subjects, you should state in your privacy policy the type of data you collect and the reason you’re collecting it.

2. Purpose limitation

Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.

Processing that’s done for archiving purposes in the public interest or for scientific, historical or statistical purposes is given more freedom.

3. Data minimisation

Organisations must only process the personal data that they need to achieve its processing purposes. Doing so has two major benefits.

First, in the event of a data breach, the unauthorised individual will only have access to a limited amount of data. Second, data minimisation makes it easier to keep data accurate and up to date.

A compliance error could cost you millions. GDPR refresher training from as little as €6

4. Accuracy

The accuracy of personal data is integral to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.

Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.

5. Storage limitation

Similarly, organisations need to delete personal data when it’s no longer necessary.

How do you know when information is no longer necessary? According to marketing company Epsilon Abacus, organisations might argue that they “should be allowed to store the data for as long as the individual can be considered a customer.

So the question really is: For how long after completing a purchase can the individual be considered a customer?”

The answer to this will vary between industries and the reasons that data is collected. Any organisation that is uncertain how long it should keep personal data should consult a legal professional.

6. Integrity and confidentiality

This is the only principle that deals explicitly with security. The GDPR states that personal data must be

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

The GDPR is deliberately vague about what measures organisations should take, because technological and organisational best practices are constantly changing.

Currently, organisations should encrypt and/or pseudonymise personal data wherever possible, but they should also consider whatever other options are suitable.

Looking for more GDPR expertise?

These six principles provide an overview of the GDPR, but they are far from comprehensive.

The rest of the Regulation goes into much more detail on the specific practices that organisations should undertake to make sure they meet its compliance requirements.

You can find out more about those requirements by enrolling on our Certified GDPR Foundation Training Course.

This one-day course provides a complete introduction to the Regulation, and a practical understanding of the implications and legal requirements for organisations of any size.

Get 20% off July and August training dates, plus all distance learning courses.

A version of this blog was originally published on 31 January 2018.


  1. Peter Green 1st August 2018
    • Denise Rolph 10th January 2020
      • R Nesargi 7th February 2020
        • Jessica Belton 7th February 2020
          • Missy 13th June 2021
  2. Ian Crosby 23rd January 2020
    • Jessica Belton 29th January 2020
  3. R Nesargi 7th February 2020
    • Jessica Belton 7th February 2020
  4. N .Hillier 8th October 2020
    • Geraldine Niven 4th February 2021
  5. Paul Carter 11th January 2021

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.