Understanding the Seven Data Protection Principles

The seven data protection principles that lie at the heart of the UK GDPR.


Woman and man typing on their laptops in an office setting

At its simplest, the UK GDPR aims to protect the data privacy rights of individuals and hold organisations accountable for wrongdoing. The foundation of this framework is seven principles that ensure compliance at an organisational level. 

Like data subject rights, these principles should be at the core of your approach when processing personal data. 

You could be a Data Protection Officer (DPO) or a small business owner who is getting to grips with the UK GDPR. Whatever skill set you have, this guide will ensure every action you take is founded on best practice, not negligence.   

What Are the 7 Data Protection Principles?

Article 5(1) and 5(2) of the UK GDPR set out these principles: 

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation 
  • Integrity and confidentiality
  • Accountability 

We’ll explain each principle below. 

1. Lawfulness, Fairness & Transparency

If you process personal data, you must have lawful grounds. There are six lawful bases in Article 6 of the UK GDPR, which include:

    • Consent: An individual must give permission for you to process their data for a specific purpose.
    • Contract: You need to process an individual’s data as part of your contract or to enter into a contract. 
    • Legal obligation: You need to process their data to comply with the law, e.g., a court or law enforcement agency. 
    • Vital interest: Your data processing is essential for protecting someone’s life or interest, e.g., a parent on behalf of a child.
    • Public task: You need to process data to conduct a task for an official function or in the public’s interest. 
    • Legitimate interest: The processing is needed for your legitimate interest or the interests of a third party. 

Alongside having a lawful basis, you must handle data with caution so it doesn’t result in a personal data breach, copyright infringement or breach of industry regulations, contractual agreement or Human Rights Act 1998. 

Fairness refers to how you process personal data, which should be fair, justified and accepted. You should not mislead or deceive data subjects in obtaining their data and be aware of treating all individuals equally. 

Transparency is closely tied to fairness in that you must be open and honest with individuals about how and why you are processing their data. This transparency requirement is key to providing people with privacy information in relation to a data subject’s right to be informed. 

2. Purpose Limitation

Organisations should only collect personal data for a specific purpose and inform individuals about what they intend to do with it from the beginning. The law states that processing should not be further processed in a manner that is incompatible with the original purpose for processing.

Under Article 30, most businesses must formally document all their processing activities. This is known as a Record of Processing Activity (RoPA), which includes details about your data processing, purpose, data subjects and categories. 

We have had great success in DataWase, our information management software, for managing RoPAs, subject access requests, DPIAs, and incident logging in one place. 

3. Data Minimisation

When it comes to data processing, less is more. The data minimisation principle states that you should process only the minimum amount of data needed to meet your purpose. 

Don’t let your hoarding habits interfere with collecting data. Holding information ‘just in case’ isn’t plausible. It should only achieve your purpose now, not on the off-chance it could be helpful later down the line. 

4. Accuracy

The accuracy principle refers to keeping personal data up-to-date and recorded with a clear source. You should regularly update the information to ensure it achieves your process and action anything if inaccuracies are identified. 

Inaccurate data is seen as something misleading or incorrect. If an individual pursues their right to rectification, you should take all steps to rectify inaccurate data. You only have one calendar month (unless you can apply for an extension) to complete such requests.  

5. Storage Limitation

The storage limitation principle is closely tied to data minimisation and accuracy principles. All personal data should only be stored for the time necessary to achieve your purpose. 

Erasing personal data prevents it from becoming out of date or irrelevant. As such, following a retention policy will ensure you delete data at appropriate intervals. The UK GDPR doesn’t confirm how long you can retain data, but a good rule of thumb for erasure is whether it is still relevant. 

Deleting data that is no longer needed means that you can handle subject access requests (SARs) more efficiently, as you will have less personal data to manage in order to process the request.

6. Integrity and Confidentiality

Personal data should be processed with appropriate security measures to protect it from unlawful or unauthorised access, accidental loss, destruction or damage. 

This principle refers to having both physical and cyber security measures. Best practices include encryption, pseudonymisation, cloud backup and any basic technical controls in frameworks like Cyber Essentials. 

7. Accountability 

The final and often forgotten principle requires organisations to demonstrate how they comply with the other six principles listed above.

There is no specific way to meet this principle; however, following the Information Commissioner’s Office (ICO’s) best practice guidance is a good place to start!

Below are some examples of how this can be done:

  • Carry out legitimate interest assessments when relying on legitimate interest as a lawful basis
  • Ensuring data sharing agreements (DSAs) are in place between two or more data controllers when disclosing personal data.
  • Complete and maintain necessary documentation, like RoPAs and DPIAs
  • Implement the data protection principles in your organisation
  • Put cyber security measures in place
  • Record and report personal data breaches
  • Appoint or outsource a Data Protection Officer 

By being accountable, you’ll prove to your stakeholders and clients that you value their privacy, which will help build trust. 

Whether you’re a small or large organisation, implementing these principles will result in better legal compliance and a distinct competitive edge. 

Looking for a GDPR Consultancy?

Data Protection People is a trusted GDPR consultancy to sectors nationwide. Our expert DPOs, SAR support desk and wider consultancy prioritise these seven principles in all the work they do. 

We’re passionate about helping clients resolve their most pressing data protection challenges and achieve compliance. Contact our team today to learn more