Understanding the Key Data Protection Principles under GDPR
The General Data Protection Regulation (GDPR) provides seven principles that apply whenever you collect, share, store, or otherwise use personal data.
Following these key principles is a core part of GDPR compliance. The principles help you respect people’s privacy, avoid administrative fines, and develop your products in a safe and sustainable way.
This article will explain each of the seven data protection principles and provide some practical examples of how to achieve compliance.
What Are the Data Protection Principles?
The GDPR’s data protection principles, or “principles of data processing”, are at the heart of GDPR compliance.
You can find the seven data protection principles at Article 5 of the GDPR:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality
Now let’s explore how each of these GDPR principles works
Lawfulness, Fairness, and Transparency
“Personal data shall be… processed lawfully, fairly and in a transparent manner in relation to the data subject...”
The first GDPR principle is really three principles in one—so let’s break it down into its three parts.
Under the GDPR, you can’t process personal data unless you have a “legal basis” (or “lawful basis”). You must also ensure you comply with other relevant laws—for example, the ePrivacy Directive, which regulates cookies.
(“Processing” personal data means using it in basically any way, including collecting it, storing it, sharing it, or erasing it).
There are six legal bases listed at Article 6 of the GDPR. Before processing personal data, you must identify whether one of these legal bases applies.
- Consent: A person has given you permission to process their personal data via a “freely given, specific, informed and unambiguous… clear affirmative action”.
- Contract: You need to process personal data to either enter into a contract or perform your obligations under a contract (e.g., you need a person’s address to send them a product).
- Legal obligation: The law requires that you process personal data (e.g., to keep legally mandated accounting records).
- Vital interests: You need to process personal data to protect someone’s life or health (e.g., to provide personal details in a medical emergency).
- Public task: You need to process personal data to complete a task in the public interest or under official authority (e.g., registering students at a university).
- Legitimate interests: You need to process personal data to pursue a legitimate purpose that benefits you or a third party (e.g., fraud detection).
If you process “special category data”—such as information about a person’s health, political beliefs, or race—you also need an additional legal basis under Article 9 of the GDPR.
According to the UK’s data regulator, the “fairness” element means that you must “stop and think not just about how you can use personal data, but also about whether you should.”
- Considering how your use of personal data might impact people.
- Mitigating any risks—or being prepared to justify them.
- Using personal data only in ways people would reasonably expect (or that you can justify).
- Never misleading or deceiving people about how you process personal data.
Transparency is a vital part of GDPR compliance. You must explain practically everything you do with personal data under the GDPR.
For example, you’ll need:
- A privacy notice explaining how and why you use personal data, who you might share personal data with, and how people can exercise their data subject rights (among other things).
- Shorter notices, provided whenever you collect personal data, explaining why you need it and what you’ll use it for (e.g. as part of a cookie banner or newsletter signup form).
Other third parties, such as Google Play and Apple’s App Store, also require you to provide transparency information.
But to be transparent, you need to fully understand how your organization and products use personal data.
Example: You’re developing an Android app. You must provide Google Play with a “data safety report” explaining how you collect, share, and use personal data. You can use a code-scanning tool to be confident that you’re providing all the relevant information.
“Personal data shall be… collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…”
Under the “purpose limitation” principle, you should:
- Only collect data for a “specified, explicit, and legitimate” purpose, and
- Not use the data for another, “incompatible” or unrelated purpose.
There are exceptions to these rules on “further processing”, e.g., for historical research purposes and statistical purposes.
Example: You’re developing an app. You collect a user’s phone number for security purposes (multi-factor authentication). You shouldn’t use the person’s phone number for marketing purposes without their consent.
“Personal data shall be… adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed…”
The “data minimization” principle requires that you only process the personal data you need—no more, no less.
Data minimization is closely linked to the concept of “privacy by design”—embedding privacy and data protection into your projects from the earliest stages.
Example: You’re developing an app. You use privacy code scanning to discover how your product collects, uses, and stores personal data. You can now see whether you are collecting or using unnecessary personal data—and you can decide what to do about it.
“Personal data shall be… accurate and, where necessary, kept up to date…”
Under the “accuracy” principle, you must:
- Ensure personal data is accurate and up to date.
- Take “every reasonable step” to correct or update inaccurate or incomplete data.
As noted by the Digital Marketing Association (DMA), the accuracy principle extends to customer profiles generated for marketing purposes. The DMA suggests that embedding a privacy-by-design approach can help meet the accuracy requirement.
Inaccurate data can cause serious problems for data subjects. In 2021, the Spanish regulator fined a credit reference agency €1 million for failing to keep accurate records about people’s debts. The regulator said that if you can’t ensure the accuracy of data, you shouldn’t collect it.
“Personal data shall be… kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…”
Under the “storage limitation” principle, you must not keep personal data for longer than you need it.
You should tell people how long you’ll keep each type of personal data you collect. You might store personal data for:
- A specific time period (e.g. one year).
- Until a trigger event prompts you to delete it (e.g. until a user deletes their account).
You should always have a good reason to keep personal data for any given period. Some types of processing can require you to store personal data for longer periods, e.g. for archiving purposes and scientific or historical research.
Integrity and Confidentiality (Security)
“Personal data must be… processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures…”
The “integrity and confidentiality” principle is where data protection meets data security. You must take appropriate “technical measures” and “organizational measures” to secure people’s data, guard against internal and external threats, and avoid a data breach.
We can find more detail on the GDPR’s security requirements at Article 32, which mentions that you should:
- Encrypt and pseudonymize (remove identifiers from) personal data where appropriate.
- Ensure the “confidentiality, integrity, availability, and resilience” of any system you use for processing personal data.
- Make sure you can quickly restore access to personal data if you have a physical or technical issue.
- Regularly test your security measures.
All members of your team should receive some training on data security—and GDPR compliance in general.
And if your company develops digital products, engineers have a crucial role in ensuring data security from the start of the development cycle, for example by:
- Identifying data leaks.
- Identifying insecure data storage practices.
- Preventing unnecessary or insecure data collection and data sharing.
- Incorporating data security controls during development (not just GDPR, but potentially other standards such as ISO or PCI).
“The controller shall be responsible for, and be able to demonstrate compliance with (the principles)...”
The GDPR’s final principle is “accountabilty”. You must be able to show how you comply with the GDPR principles.
Accountability under the GDPR can take many forms. Here are some examples of accountability measures from an official EU advisory group:
- Developing internal policies, procedures, and any other necessary documentation.
- Conducting and documenting a data mapping exercise to identify how you collect, use, and share personal data.
- Appointing a data protection officer (DPO) or designating a staff member to oversee privacy and data protection.
- Maintaining a record of processing activities (RoPA)—a requirement under Article 30 of the GDPR.
- Performing data protection impact assessments (DPIAs) or privacy impact assessments (PIAs) where appropriate.
The accountability principle is the only principle that applies to “data controllers” (who decide how and why to process personal data) but not “data processors” (who process personal data on behalf of a controller).
If you offer an app or online service directly to your users, you’re likely a data controller. Controllers are accountable not only for themselves, but also for any processors they use (for example, analytics providers, advertisers, and cloud services can all be processors).
This means it’s essential to understand how you share personal data with third parties such as Google, Microsoft, or AWS. Measures such as privacy code scanning, RoPAs (Article 30 records), and data processing agreements can you stay accountable under the GDPR.
Summary of the Data Protection Principles
We’ve looked at each GDPR principle and considered some examples of how the data protection principles apply in practice.
Here are some key takeaways:
- Lawfulness, fairness, and transparency: Identify a legal basis, use data in reasonable and ethical ways, and provide people with comprehensive information.
- Purpose limitation: Only collect personal data for a specified, explicit, and legitimate purpose, and don’t process it for incompatible further purposes.
- Data minimization: Only collect as much data as you need for a specific purpose.
- Accuracy: Keep personal data accurate, complete, and up to date.
- Storage limitation: Don’t keep personal data for longer than necessary.
- Integrity and confidentiality: Take appropriate measures to keep data secure.
- Accountability: Ensure you can demonstrate how you and your data processors comply with the data protection principles.