© GDPR EU 2025. All rights reserved.
What are the 7 main principles of GDPR?
These seven principles cover exactly how to process personal data. To achieve GDPR compliance, it's essential that data controllers follow the entirety of these
The GDPR is a complex piece of legislation regarding the way an organisation processes personal data. In order to ensure that every data protection officer understands exactly what the data protection laws reflect and their legal obligations regarding GDPR compliance, the legislation contains seven data protection principles.
These seven principles cover exactly how to process personal data. To achieve GDPR compliance, it’s essential that data controllers follow the entirety of the principles in order to properly process personal data relating to individuals.
The principles lie at the core of the GDPR and data privacy laws. They provide guidance for everyone who is required to be GDPR compliant. They also provide clarity for the expectations of EU residents as to how their data should be processed. However, the principles do not provide explicit instructions or strict rules for GDPR’s implementation, rather they exist to guide EU member states.
The UK GDPR, which has been implemented since Brexit, follows broadly the same principles. Organizations must demonstrate compliance with these principles through clear internal policies and regular assessments. For more on the implementation of UK GDPR, see the Guide to UK GDPR from the Information Commissioner’s Office (ICO). It sets out in clear and plain language information for data controllers, an organisation’s data protection officer, and anyone else who has day-to-day responsibility for GDPR compliance.
Both EU residents and UK residents can get a good grasp of the data protection measures that should be undertaken regarding their sensitive personal data through their respective GDPR legislation. This is just as important as international organisations understanding of what they should do to comply with their supervisory authorities.
GDPR defines what happens if there is a personal data breach, whether by the data controller, data processor or any other data protection officers. It covers consumer data, and how organisations must process data (including sensitive data, biometric data, pseudonymised data, religious beliefs, and any other sensitive information.
GDPR non-compliance can mean, at worst, criminal convictions. Ignoring data protection and data subject rights is a high-risk strategy for any business, regardless of the size or influence. Organizations must avoid unlawful processing of personal data to prevent significant penalties. GDPR fines can be significant, which is why appropriate safeguards must be in place.
EU citizens are protected under this replacement for the old Data Protection Act and the onus is on organisations to ensure that data protection impact assessments are carried out and that they are fully complying with data protection authorities.
Lawfulness refers to the identification of specific grounds for the requirement of processing personal data. To meet the requirements of specific grounds, the GDPR details six different reasons for processing personal data. At least one must apply to comply with the data protection rules laid out by the GDPR.
There is always a requirement to ensure that personal data is not used in a way that would be considered illegal, aside from the stipulations of the General Data Protection Regulation (GDPR). If through processing the data, a criminal offence is committed then that would also be unlawful. This includes things like copyright infringement or a breach of duty of confidence. All of this is important for a company’s offline and online reputation as well as for compliance.
This GDPR principle ensures purpose limitation, meaning that data subjects understand the reasons for providing their personal information and have reasonable expectations about what the organisation aims to do with it. The GDPR sees this as a way of ensuring accountability and preventing the temptation to use the data for purposes other than those disclosed to the individual.
This also allows individuals to decide whether they are happy to provide their details and gives some security over its future use. GDPR cannot prevent all future use for other purposes in certain circumstances, but this principle contains it.
An example scenario is when there is a link between the new use and the original reason the data was collected. If a person has contacted a business to request information about holidays to California, it’s then compatible to tell them about a special offer on flights to Los Angeles. If, however, the organisation then wanted to use the data to sell other goods and services, they’d have to request new permission.
A data controller should consider the minimum data needed to meet the purpose of the organisation. This amount should then be the maximum held by data processors under the data protection directive. Data, whether this is through automated decision-making or on a case-by-case basis, must be adequate, relevant, and limited. There are no specific definitions issued by the supervisory authority regarding these, as they depend on the original purpose of data collection.
This third principle is in place to ensure compliance in treating EU citizens as individuals and to monitor compliance. If some of the detail collected is only needed for a small set of individuals, then it is inappropriate to gather it from all data subjects. Additionally, there cannot be a culture of collecting data on the basis that it may be useful at a future date. If, however, there is an identified requirement for the data in the future, then the GDPR allows for it to be collected in advance.
There is also the requirement to consider this from the alternate perspective of holding inadequate data. This refers to situations in which the data is insufficient for the purpose it was collected. In this case, the data should not be processed as it cannot meet the criteria for which it was deemed necessary.
This is about the quality of the data that is collected. Along with giving a data subject the right to have inaccurate data corrected, GDPR also means having processes in place to ensure the accuracy of the data, to begin with. While there is a requirement to update the information regularly, this should be as appropriate for the reason it was initially collected. For example, if a customer places a one-off order, there is no need to contact them regularly to ensure that the address details are still correct.
GDPR allows for the holding of data which includes the opinions of data subjects as long as they are annotated as such and cannot be misconstrued as fact. Clarity is required on what the personal data record should show as this is likely to influence whether it is considered to be accurate or not. For example, holding a client’s old address when they have moved house is still accurate if it is annotated as historical data by the appropriate information systems.
Data can only be kept for the duration defined within the original requirements. Even if it was collected in an easily accessible form according to the requirements of GDPR, it can’t be kept for longer than it’s legitimately needed. To do so is considered non-compliance.
The regulation does not specify any reasonable time frame for keeping the data. The onus is on the business to justify the timescale that they have put in place. It should be assumed that the older the data is, the more likely that it is inaccurate or out of date. There are three situations in which data can be kept for an indefinite period:
More commonly known as the principle of security, this aspect of the GDPR is the secure processing of data to avoid data breaches. This requirement extends beyond cybersecurity and also includes both physical and organisational security. For example, if customer data is used in paper form, there should be appropriate security measures in place to ensure it’s not accessible to anyone outside of the business.
The General Data Protection Regulation (GDPR) requires that data can only be accessed and managed by those that have appropriate authorisation. Additionally, if it is accidentally lost, altered, or destroyed, then there must be a way to recover it. These should be standard contractual clauses within the original agreement with the data subject and should affect all data flows and data portability.
Just as with data storage, GDPR does not define the security measures that should be in place. Instead, it requires that a level of security is put in place, which is ‘appropriate’ to the risks associated with the data processing.
The final GDPR principle is accountability. This requires those processing personal data to take responsibility for their interactions with personal data and their adherence to the other principles. To meet this requirement, there needs to be both measures and records in place so that compliance can be demonstrated across special categories.
This principle is concerned with the secure processing of data to protect personal data and avoid data breaches. While this demonstrates that the organisation takes a lawful approach to its data processing, it also shows clients and suppliers that there is respect for an individual’s rights and freedoms and that data protection is taken seriously.
It also means that if there is an issue such as a data breach or unauthorised disclosure, then it can be demonstrated that there were both measures and safeguards in place to reduce the risk of such an event. This may then mean that there is mitigation against any legal enforcement action.
The risk with any requirement, such as the General Data Protection Regulation, is that it becomes a policy that is written and then sits in the bookcase, forgotten about until something happens. Data controllers must ensure that personal data is not subject to further processing in ways that contradict the original purposes, except for specific exceptions like archiving and research.
This regulation is about complying. GDPR is also about the need for regular review and updates to ensure that best practices are always in place and are subject to oversight by public authorities.
