Data Protection Network
CONTACT US
NEWSLETTER

GDPR: The seven data protection principles

Simon Blanchard
May 2026

Understanding the core principles of data protection

There are seven core principles which form the foundation of EU and UK data protection law. Understanding and applying these principles is the cornerstone for good practice and key to complying with  GDPR / UK GDPR.

This is a quick guide to understanding these principles.

1. Lawfulness, fairness and transparency

This principle covers three key areas.

a) Lawfulness – We must identify an appropriate ‘lawful basis’ for collecting and using personal data. In fact, we need to decide on a lawful basis for each task we use personal data for, and make sure we fulfil the specific conditions for that lawful basis. You can read more about the different lawful bases here: GDPR and lawful basis.

We need to take care and look to meet additional requirements when using what’s termed special category data – such as health information and ethnicity, or data which relates to minors or vulnerable people.

We should also be sure not do anything which is likely to contravene any other laws.

b) Fairness – We must only use people’s data only in ways which are fair. We should not collect, use or share personal information in a way which might be unexpected, discriminatory or misleading. This means evaluating any adverse affects on individuals.

c) Transparency – We must be clear, open and honest with people about how we use their personal information. Tell people what we’re going to do with their personal information. Routinely this is achieved by providing relevant privacy information at the point data is collected, for example publishing privacy notices and making these easily available. Transparency requirements apply right from the start, when we collect or receive people’s data.

2. Purpose limitation

This is all about only using personal details in the way(s) we told people they’d be used for. We must be clear about what our purposes for processing are and specify them in the privacy information we provide to individuals.

Sometimes we might want to use personal data for a new purpose. We may have a clear legal obligation to do it, but if not we should check the new purpose is compatible with the original purpose(s) we had for that data. If not, then we may need to secure the individual’s consent before going ahead.

Remember, if we surprise people, they ‘ll be more likely to complain.

3. Data minimisation

We must make sure the personal data we collect and use is:

  • Adequate – necessary for our stated purposes. Only collect the data we really need. Don’t collect and keep certain personal information ‘just in case’ it might be useful in future.
  • Relevant – relevant to that purpose; and
  • Limited to what is necessary – don’t use more data than we need for each specific purpose.

4. Accuracy

We should take ‘all reasonable steps’ to make sure the personal data we gather and hold is accurate, up-to-date and not misleading. It’s good practice to use data validation tools when data is captured or re-used. For example, validate email addresses are in the right format, or verify postal addresses when these are captured online.

If we identify any of the personal information we hold is incorrect or misleading, we should take steps to correct or delete it promptly. Data accuracy can decline over time. For example, people change their email address, move house, get married or divorced, their needs and interests change. And of course some people on your database may pass away. So we need to consider ways to keep our data updated and cleansed. It’s good to try and find ways to give people the opportunity to check and update their personal details.

5. Storage limitation

Don’t be a hoarder! We must not keep personal data longer than necessary for the purposes we have specified. Certain records need to be kept for a statutory length of time, such as employment data. But not all data processing has a statutory period. Where the retention period is not set by law, organisations need to make a judgement call on appropriate data retention periods for different datasets.

The ICO would expect us to have a data retention policy in place, with a retention schedule which states the standard retention period for each processing task. This is key step to making sure you can comply with this principle.

When the data is no longer needed, we must destroy or anonymise it, unless there’s a compelling reason for us to keep it for longer. For example, when legal hold applies. For more detail see our Data Retention Guidance.

6. Security

This is the ‘integrity and confidentiality’ principle of the GDPR – often known as the security principle. This requires organisations to make sure appropriate security measures are in place to protect the personal data held.

GDPR / UK GDPR talks about ‘appropriate technical and organisational measures’ (known as TOMs). These includes things like physical and technical security measures, conducting information security risk assessments, having information security policies and standards in place to guide staff.

The approach to security should be proportionate to the risk involved, and the ICO advises us to consider available technology and the costs of implementation when deciding what measures to take.

Some standard basics would include transferring data securely, storing it securely, restricting access to only those who need it and authenticating approved data users.

Cyber Essentials or Cyber Plus can be helpful as an assurance framework to carry out a review of your data security arrangements.

Organisations also need to consider information security standards when appointing and managing relationships with processors, i.e. service providers handling personal data on your behalf to provide their services. Are your processors securely handling their processing of the data you control? It’s important to carry out due diligence during the procurement process, and keep ongoing relationships under review.

7. Accountability

The accountability principle makes organisations responsible for complying with data protection law, and obliges organisations to have evidence of how they comply with the above principles.

This requires data governance across the organisation. Think of accountability as a collective responsibility, flowing from the executive team down to operational teams handling personal data.  To demonstrate how we comply, we need to have records in place. For most organisations this will include a Record of Processing Activities (RoPA).

The ICO provides a useful ‘Accountability Framework’ we can use to benchmark performance against their expectations.

In summary, identify the lawful bases you’re relying on and be fair and be open about what you do. Minimise the data you collect and make sure it remains accurate over time. Always keep it secure and don’t keep personal details for longer than you need them. Take care if you want to use personal data for a new purpose. Keep records and be ready to justify your approach.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.
Data Protection Network