What are the 7 principles of GDPR?

GDPR’s 7 Principles are set out in Article 5 of GDPR. For those who aren’t aware, an ‘Article’ is just a ‘section’ – so saying ‘Article 5’ is like saying ‘section 5’ for other laws. 

Let’s get into the good stuff: 

1. Lawful, Fair & Transparent

First off, personal data shall be ‘processed lawfully, fairly and in a transparent manner in relation to the data subject’.

This is the Lawfulness, Fairness and Transparency Principle.

The focus here has mostly been on lawful and transparent, which gives you a very good position on fairness. So you may also hear this referred to as the ‘Lawfulness Principle’ or the ‘Transparency Principle’.

• Lawful includes identifying a legal basis for your processing (such as consent or legitimate interests), and otherwise complying with the law. There have been fines for not identifying one or identifying the wrong one.
• Transparent includes providing all the information GDPR requires to the individual data subjects about what you’re planning to do with their personal data. 
• Fairness is subjective but plays into the reasonable expectations of the data subject. As the UK ICO states: ‘This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.

2. Purpose Limitation

Personal data can only be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’.

This is the Purpose Limitation Principle and makes perfect sense; you can’t tell people you’re only processing their data to provide your software services to them, and then suddenly sell it to someone else for them to market insurance to them.  

The key takeaway here is, when you’re creating your Privacy Notices for the Transparency Principle, make sure you cover the purposes for which you’re processing the data. It’s not easy to suddenly start processing for a new purpose if you hadn’t identified it up front.

There are certain exemptions for follow-on research and statistics which aren’t to be seen as incompatible. This is one area the UK is looking at clarifying in its review launched in August 2021… we’ll see how that goes.

3. Data Minimisation

Personal data you process must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’.

This is the Data Minimisation Principle and it ensures that you don’t collect more personal data than necessary for your stated purpose. Gone are the days of asking for a ton of data – or even not asking. Apps from times gone by used to scrape mobile phones for email addresses, other apps you used and much more. 

Data minimisation has actually always been the case, but GDPR’s fines and increased awareness mean it’s clear you need to be focused on collecting only what’s necessary.

And having less personal data means there’s less to protect against GDPR breach and less to search for a data subject request (DSR).

4. Accuracy

Personal data you process must be ‘accurate and, where necessary, kept up to date’.

This is the Accuracy Principle. Because data must be accurate, it also states that ‘every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay’. 

This points to a couple of the data subject rights: the right to rectification (or to correct inaccurate data) and one aspect of the right to erasure.

5. Storage Limitation

Now you have personal data, you must keep it ‘in a form which permits identification of data subjects for no longer than is necessary for the purposes’ for which it’s processed. 

This is the Storage Limitation Principle. Again, there are some research and statistical exemptions.

When you hear the word ‘retention’ this is what it relates to: don’t keep personal data for any longer than necessary for your specified purposes. 

Some retention periods are set out in law, for example on tax and maternity records, but in most cases this will be a commercial decision based on what is necessary -– and regulators aren’t in the mood to agree ‘infinity’ because you might need it in future. It needs to be related to the purpose.

Again, there are practical benefits from having appropriate retention periods and deleting – or anonymising – personal data: you’ll have less to protect and less to search in response to a Data Subject Request. A quick aside, though: you can’t delete it to avoid answering a DSR.

6. Security

Of course, at all times, personal data must be secure. GDPR’s Security Principle requires that personal data is ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’.

This is the Integrity and Confidentiality Principle. It should’ve just been named the Security Principle, as that’s how it’s most commonly known. 

Security is fundamental to Privacy but it is only 1 of 7 Principles; most of GDPR is not about Security. You can see a great overview in our ‘ISO 27001 is not GDPR’ video over on the Privacy Kitchen YouTube channel.

7. Accountability

And if you’re a controller, you’re ‘responsible for’ and must ‘be able to demonstrate compliance with’ the other 6 Principles.

This is the 7th Principle – the Accountability Principle.

It’s the main change to Privacy Principles from GDPR. Although it’s number 7, you should bake this in from the start. GDPR enshrined Data Protection by Design & by Default into law, and brought in various obligations on records. 

The Accountability Principle means you have to have Privacy Governance in place, focused on GDPR, and be able to demonstrate that to the regulator and for example to stakeholders, including the Board, auditors, investors and customers. 

GDPR’s requirement to put in place Governance, and demonstrate that to stakeholders, is why the Privacy Tech industry, including Keepabl, really came into being.

Bonus Tip – creating your Privacy Framework

If you’re looking to create Privacy Governance to cover more than one jurisdiction, more than one set of laws, it’s a good thing to make it principles-based globally, then tailor for each jurisdiction’s anomalies.

GDPR has set the standard globally for Data Protection, being copied to various degrees from California to Brazil, the Caribbean to India. 

It’s not surprising, as the GDPR’s 7 Principles are all set out in the Council of Europe’s Convention 108 from 1981. This was the first legally-binding international instrument on Data Protection. 55 signatories include the EEA Member States, the UK, Turkey and Russia. 

So, if you’re going global with your governance, start with GDPR’s Principles.

Keepabl’s here to help!

Why not choose Keepabl to create your own Privacy Framework? Our award-winning Privacy Management Software allows you to get up and running with ease, with simple data mapping, instant Article 30 Records creation and comprehensive Risk and Breach functionality for peace of mind. And, you can export reports on all of this at the click of a button so you can keep the Board and Auditors happy.

Want to see our Privacy Management Software for yourself? Get your Keepabl demo. We’re passionate about GDPR and we’d love to speak with you further to show how SaaS automation can improve your compliance.

Privacy Kitchen

Do watch our accompanying Privacy Kitchen video on the 7 Principles of GDPR:

And be sure to check out the other videos on our Privacy Kitchen channel, free video help on all things GDPR and Privacy. There’s a wealth of valuable information on topics including How to Prepare for GDPR Breach, Do I need a DPO? and Schrems II – What does it mean?