GDPR: Understanding the 6 Data Protection Principles

The EU GDPR (General Data Protection Regulation) outlines six data protection principles that summarise its many requirements. Some refer to them as the six data ‘processing’ principles.

These principles lie at the heart of the Regulation. Meeting them goes a long way towards overall GDPR compliance.

In this blog

• An overview of each principle:
  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
• Practical tips on complying with each principle
• How the Europrivacy scheme can help
• An overview of the ‘seventh’ principle – accountability – and how you can comply with it

1. Lawfulness, fairness and transparency

The first principle is relatively self-evident: organisations need to ensure their data collection practices don’t break the law and they aren’t hiding anything from data subjects.

Going through one point at a time:

• To process data ‘lawfully’, you must be meeting at least one of the GDPR’s lawful bases. Your data processing must also not breach any other laws.
• To process data ‘fairly’, it must not be unduly detrimental, unexpected or misleading to data subjects.
• To process data ‘transparently’, you must be clear, open and honest with your data subjects about how you’ll use their data. Privacy notices are a common tool for communicating this.

2. Purpose limitation

You may only collect and process personal data for specific purposes.

In the interests of transparency, you must also make those purposes clear from the start to data subjects. Plus, you must document those purposes to demonstrate accountability.

If you later want to process the data for a new purpose, either:

• This is necessary to meet a clear obligation or a function set out in law; or
• You need to obtain specific consent.

The GDPR gives more freedom to further processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes.

3. Data minimisation

Quite simply, keep the amount of data you collect and process to a minimum.

You do this by ensuring:

• The data is sufficient to fulfil your declared purpose for processing;
• The data is clearly linked to that purpose; and
• You don’t hold more data than you need to fulfil that purpose.

Doing the above has two major benefits:

• In the event of a breach, less data will be compromised.
• Keeping data accurate and up to date (a GDPR requirement) will be easier.

Finding this blog helpful? If you want to be notified of future blogs, free webinars and other free resources, subscribe to our free weekly newsletter: the Security Spotlight.

4. Accuracy

The accuracy of personal data is integral to data protection. The GDPR states that you must take “every reasonable step” to rectify or erase data that’s inaccurate or incomplete.

On top of that, you must keep the data up to date if necessary for your purpose for processing. For example, you must keep payroll data up to date, but not address details for a one-off order.

If you discover any inaccuracies in your data – because a data subject tells you so, for example – you must correct them as soon as possible. You should also keep records of any challenges to the accuracy of your data.

5. Storage limitation

Similarly, you must delete personal data you no longer need. This is usually because you’ve already fulfilled your purpose for processing.

To help you both meet this principle and demonstrate your compliance, you should document the standard retention periods for different types of data.

You should also periodically review the data you hold, and destroy it when no longer required.

6. Integrity and confidentiality

Using “appropriate technical or organisational measures”, you must:

• Keep the personal data you hold secure; and
• Ensure its security when you (or someone else on your behalf) process it.

The best way to ensure both effective and affordable security is to start with a risk assessment. Then, based on its results, you implement appropriate mitigating controls.

As you do so, bear in mind the following:

Your measures must cover both integrity and confidentiality

• Integrity: protecting your data from unauthorised modification, destruction and loss.
• Confidentiality: preventing the data from falling into the wrong hands.

We also recommend considering availability: that the data is accessible when needed.

Your measures can be both technical and organisational

Security best practice says you use a combination of both:

• Technical controls, like firewalls, password protection and anti-malware software, offer a basic, first layer of defence, preventing most common cyber attacks from succeeding.
• Organisational controls tend to cover both people and processes:
  • Staff awareness training, so that your employees don’t fall for phishing attacks and do report them, combines well with technical controls.
  • Documented policies and procedures will also help guide staff and demonstrate accountability.

  How can you demonstrate you’ve met this principle?

  The Europrivacy ™ / ® certification scheme offers a practical solution to this problem. Even if you are happy with your security, how can you assure others, such as regulators?

  By achieving Europrivacy certification, you can demonstrate compliance with the GDPR.

  As Alice Turley, our senior privacy consultant and trainer, explained:

  It was only when the EDPB [European Data Protection Board] approved Europrivacy that we got a mechanism for organisations to definitively stamp their data processing activities as ‘GDPR compliant’.

  The scheme offers a structured approach for organisations globally to demonstrate their GDPR compliance. And, for that matter, to demonstrate compliance with other national data privacy obligations.

  What are the benefits of Europrivacy certification?

  When we asked Alice, she said:

  The GDPR frequently [18 times] mentions the requirement for “appropriate technical and organisational measures” to protect personal data when stored or processed.

  But it doesn’t specify a framework on what appropriate technical and organisational measures may actually look like. This has left a gap for organisations to fill.

  That’s your first benefit of Europrivacy: providing a detailed framework of those appropriate technical and organisational measures.

  Certification therefore allows organisations to conveniently demonstrate that their data processing activities are GDPR compliant. This is an assurance that customers, partners and other stakeholders will welcome. It gives the organisation an edge over competitors – data breaches are constantly in the news, and no one wants to be the next headline.

  The seventh principle: accountability

  The GDPR includes an additional principle: the ‘accountability’ principle. This requires organisations to demonstrate they’re complying with the other six principles.

  This is typically done through a combination of technical measures and documentation such as:

  • Privacy notices;
  • Staff training records;
  • Controller–processor contracts;
  • Relevant policies and procedures;
  • DPIAs (data protection impact assessments); and
  • Security monitoring, event logging and data breach records.

  This isn’t an exhaustive list, but it covers the essentials.

  Organisations should also consider appointing a DPO (data protection officer) or another formal data protection lead to demonstrate compliance.

  Achieving certification to Europrivacy, or a more general information security standard like ISO 27001, also shows your commitment to data security.

  Looking for more GDPR expertise?

  

  If you want to learn more about the GDPR and how to achieve and maintain compliance, take a look at our GDPR Toolkit.

  Designed and developed by GDPR experts, the toolkit contains a complete set of template documents to demonstrate your compliance practices.

  Ideal for anyone who wants help completing their documentation requirements quickly and easily!

  But our toolkit contains more than simply a set of templates. It also includes:

  • Gap analysis and DPIA tools that help you identify compliance weaknesses and how to address them;
  • Two licences for the GDPR Staff Awareness E-learning Course; and
  • An audit checklist and competence matrix.

  We originally published a version of this blog in January 2018.

  Related Posts

  

  The GDPR: Inviting past attendees to future events

  

  How to write GDPR-compliant consent forms

  

  Big data organisations have given us a “crisis of confidence”

  About The Author

  Kyna Kosling

  Kyna (pronounced “KEE-na”) has worked at GRC International Group since January 2018, and posted on the blog since October 2023. She spends a lot of her time interviewing subject-matter experts.

  15 Comments

  Peter Green 1st August 2018

  I’m finding it difficult to get an answer to my GDPR question and bearing in mind the complexity of the rules I guess that’s not so surprising! Perhaps you could give me your thoughts. A local UK town council has responsibility for the local cemetery and particularly a Wall of Remembrance there. I am one of he approx. 300 plaque owners on that wall and because of damage to the wall I personally would like to contact the other owners. The Council has a digital register of owners but has refused my request for a copy. My use of the register will be completely personal and in no way offering goods or services. I just want to inform my co-owners of the present state of the wall and get their opinions of the situation.
  Do you think there is any way the Council can supply me with a copy of the register, legally and within the limits of GDPR?

  Denise Rolph 10th January 2020

  Hi Peter Without consent of the register of owners, then the Council are indeed following the correct process, you could place a notice for anybody to contact you concerning this matter. GDPR protects the rights of the individual. Any breach of GDPR is serious & they could be fined for breach of Princples or Governance
  Breach of the 6 Principles mean a fine can be imposed on Companies:
  The ICO governs GDPR
  Breach of Principles 4% of total global turnover or €20,000 whichever is the highest
  Breach of Governance 2% of total global turnover or €10,000 whichever is the highest. This is indeed a huge subject I spent a week on a course learning about GDPR & the above is just a summary in laymans terms, hope that helps.

  R Nesargi 7th February 2020

  Isn’t GDPR for living people only or does it cover dead people as well?
  Further, assuming that GDPR covers the dead people as well, why would GDPR cover data that was already in possession of an individual but has lost it and it that individual is going to use it in non-commercial purpose.

  Jessica Belton 7th February 2020

  Hi The GDPR only applies to the personal data of living individuals – as per Recital 27 of the GDPR: “This Regulation does not apply to the personal data of deceased persons.” Regardless of whether personal data has been lost or not, if it falls under the definition of personal data under the GDPR (Article 4(1)), then it is still within scope of the GDPR and must be protected accordingly.

  Missy 13th June 2021

  I think we’ve been duped. If my data can be sold I should get paid. I keep reading weird disclaimer about how they don’t sell data. We deserve privacy in our business and lives not promises about things we never thought of by individuals who hide behind jargon.

  Ian Crosby 23rd January 2020

  I am considering making a request to South wales Police about information they hold on their system. The problem I see is this. I beleive they will refuse my request, as the information they hold is about animals which were inspected at my home by my local council. In other words the information currently retained by South wales Police is therefore about my animals, and not myself. So would they be within their rights, as I believe they may be, to refuse my request for access to the documents they hold on their system?

  Jessica Belton 29th January 2020

  Hi Ian This request actually doesn’t fall under GDPR as it only applies to living individuals and not the data of animals. Therefore, you cannot actually submit a data subject access request to the Police regarding this.

  R Nesargi 7th February 2020

  Isn’t GDPR for living people only or does it cover dead people as well?
  Further, assuming that GDPR covers the dead people as well, why would GDPR cover data that was already in possession of an individual but has lost it and it that individual is going to use it in non-commercial purpose.

  Jessica Belton 7th February 2020

  Hi The GDPR only applies to the personal data of living individuals – as per Recital 27 of the GDPR: “This Regulation does not apply to the personal data of deceased persons.” Regardless of whether personal data has been lost or not, if it falls under the definition of personal data under the GDPR (Article 4(1)), then it is still within scope of the GDPR and must be protected accordingly.

  N .Hillier 8th October 2020

  Hello
  At my relative’s care home a couple of residents have tested positive for Covid and obviously kept isolated. The home is not prepared to tell other residents (who all go through the same testing regime) which residents have tested positive citing the GDPR rules. This lack of openness seems OTT and keeps residents in the dark about what is going on with their fellow residents when they suddenly disappear for two weeks. What is your view?

  Geraldine Niven 4th February 2021

  I live in sheltered accomodation and having the same problem, do managers have to inform residents who has got covid, we have got 4 cases at the moment and only heard this through word of mouth

  Paul Carter 11th January 2021

  I am currently proceeding towards an employment tribunal hearing against my employer for unfair constructive dismissal. Ive been told I should make a data retrieval request to them most particularly emails, text messages and whatsapp messages that may concern me. I suspect they may aleady be clearing caches of emails. Is it legal for them to attempt to conceal their discussions about me by deleting or hiding data? Thanks in advance.

  Lolan Olan 3rd December 2021

  I requested for DSAR in a company and some of my data were sent me, during the request. I did receive the DSAR but they are unable to provide me the original data which was still with Data protection commission investigation. But surprisingly during a WRC hearing a case discrimination case I discovered some vital data ment for data request were sent to me via email without my consent to the company. When I wrote the company the data protection officer replied me that the company has legal privilege

  NDC Management 29th December 2021

  Hi, I am really delighted to glance at this website post which includes plenty of valuable information about gdpr analysis, thanks for providing such statistics. Thank you for sharing the wonderful article. Great post. I will be your regular visitor.