Data Protection Basics: The 7 data protection principles Understanding the key principles of data protection Let’s get back to basics. There are seven core principles which form the foundation of data protection law. Understanding and applying these principles is the cornerstone for good practice and key to complying with UK / EU GDPR. Here’s our quick guide to the data protection principles. 1. Lawfulness, fairness and transparency This principle covers 3 key areas. a) Lawfulness – We must identify an appropriate ‘lawful basis’ for collecting and using personal data. In fact, we need to decide on a lawful basis for each task we use personal data for, and make sure we fulfil the specific conditions for that lawful basis. There are 6 lawful bases to choose from. We need to take special care and look to meet additional requirements when using what’s termed ‘special category’ data or data which relates to minors or vulnerable people. We should also be sure not do anything which is likely to contravene any other laws. b) Fairness – We must only use people’s data only in ways that are fair. Don’t process data in a way which might be unexpected, discriminatory or misleading. This means evaluating any adverse affects on individuals. c) Transparency – We must be clear, open and honest with people about how we use their personal information. Tell people what we’re going to do with their personal information. Routinely this is achieved by providing relevant privacy information at the point data is collected, and by publishing a complete and up to date privacy notice and making this easy to find. Transparency requirements apply right from the start, when we collect or receive people’s data. 2. Purpose limitation This is all about only using personal details in the ways we told people they’d be used for. We must be clear about what our purposes for processing are and specify them in the privacy information we provide to individuals. Sometimes we might want to use personal data for a new purpose. We may have a clear legal obligation to do it, but if not we should check the new purpose is compatible with the original purpose(s) we had for that data. If not, then we may need to secure the individual’s consent before going ahead. Remember, if we surprise people, they ‘ll be more likely to complain. 3. Data minimisation We must make sure the personal data we collect and use is: Adequate – necessary for our stated purposes. Only collect the data we really need. Don’t collect and keep certain personal information ‘just in case’ it might be useful in future. Relevant – relevant to that purpose; and Limited to what is necessary – don’t use more data than we need for each specific purpose. 4. Accuracy We should take ‘all reasonable steps’ to make sure the personal data we gather and hold is accurate, up-to-date and not misleading. It’s good practice to use data validation tools when data is captured or re-used. For example, validate email addresses are in the right format, or verify postal addresses when these are captured online. If we identify any of the personal information we hold is incorrect or misleading, we should take steps to correct or delete it promptly. Data accuracy can decline over time. For example, people change their email address, move house, get married or divorced, their needs and interests change. And of course some people on your database may pass away. So we need to consider ways to keep our data updated and cleansed. Perhaps find ways to give people the opportunity to check and update their personal details? 5. Storage limitation Don’t be a hoarder! We must not keep personal data longer than necessary for the purposes we have specified. Certain records need to be kept for a statutory length of time, such as employment data. But not all data processing has a statutory period. Where the retention period is not set by law, the organisation must set an appropriate data retention period for each purpose, which it can justify. The ICO would expect us to have a data retention policy in place, with a schedule which states the standard retention period for each processing task. This is key step to making sure you can comply with this principle. When the data is no longer necessary, we must destroy or anonymise it, unless there’s a compelling reason for us to keep it for longer. For example, when legal hold applies. For more information see our Data Retention Guidance. 6. Security This is the ‘integrity and confidentiality’ principle of the GDPR – often known as the security principle. This requires organisations to make sure we have appropriate security measures in place to protect the personal data we hold. UK / EU GDPR talks about ‘appropriate technical and organisational measures’ (known as TOMs). These includes things like physical and technical security measures, conducting information security risk analyses, having information security policies & standards in place to guide our staff. Our approach to security should be proportionate to the risks involves. The ICO advises us to consider available technology and the costs of implementation when deciding what measures to take. Some of the basics include transferring data securely, storing it securely, restricting access to only those who need it and authenticating approved data users. Cyber Essentials or Cyber Plus can be helpful as an assurance framework to carry out a review of your data security arrangements. Controllers should consider information security standards when appointing and managing relationships with processors, i.e. service providers handling personal data on your behalf to provide their services. Are your processors securely handling their processing of the data you control? Carry out appropriate due diligence to make sure. 7. Accountability The accountability principle makes organisations responsible for complying with the UK / EU GDPR and says they must be able to evidence how they comply with the above principles. This requires data governance across the organisation. Think of accountability as a collective responsibility, flowing from the Executive team and down through to the teams that process personal data. To demonstrate how we comply, we need to have records in place. For many organisations this will include a Record of Processing Activities (RoPA). The ICO provides a useful ‘Accountability Framework’ we can use to benchmark performance against their expectations. In summary, identify the lawful bases you’re relying on and be fair and be open about what you do. Minimise the data you collect and make sure it remains accurate over time. Always keep it secure and don’t keep it for longer than you need it. Take care if you want to use personal data for a new purpose. Keep records and be ready to justify your approach.  The ICO has published more detailed guidance on the seven principles.

Data Protection Basics: The 6 lawful bases A quick guide to the six lawful bases for processing personal data One of the fundamental data protection principles is that our handling of personal data must be ‘lawful, fair and transparent’. To be lawful, clearly, we shouldn’t do anything illegal in general terms. But what else does it mean to be lawful? We’re given six lawful bases to choose from under UK/EU GDPR. For each purpose we use personal data for, we need to match it with an appropriate lawful basis. For example a purpose might be: Sending marketing emails to our customers Profiling our audience to better target our marketing Handing staff payroll data to pay salaries Handling customer enquiries about our services Delivering a product a customer has requested Implementing measures to prevent fraud We need to select the most appropriate lawful basis and meet its own specific requirements. Each basis is equally valid, but one may be more appropriate than others for any specific task. We’re legally obliged to set out the lawful bases we rely on in our privacy notices. If none of them seem to work, you may want to question whether you should be doing what you’re planning to do. Quick guide to the 6 lawful bases (This is not intended to be exhaustive, do check the ICO’s Lawful Basis Guidance) 1. Contract This lawful basis will be appropriate if you need to process an individual’s personal information to deliver a service to them. Or you need collect certain details to take necessary steps before entering into a contract or agreement. Example 1: An individual purchases a product from you and you need to handle specific personal information about them in order to deliver that product, including when you acknowledge their order, provide essential information, and so on. Example 2: Someone asks you to give them a quote for your services, and you need certain information about them in order to provide that quote. Contract tips: It doesn’t apply to other purposes you may use the data for which are not essential. It’s most likely to be used when people are agreeing to T&Cs, although it can also be used where a verbal agreement or request for information is made. The person whose data you’re processing must be party to the contract or agreement with you. It doesn’t apply if you want to process someone’s details, but the contract is with someone else, or with another business. 2. Legal obligation There may be circumstances where you are legally obliged to conduct certain activities, which will involve processing personal data. This could be to comply with common law or to undertake a statutory obligation. Example 1: You are offering a job to someone outside the EU. You need to check they have a visa to work in the UK, as this is a legal obligation. Example 2: Airlines and tour operator collect and process Advance Passenger Information (API) as this is a legal requirement for international air travel. Legal obligation tips Legal obligation shouldn’t be confused with contractual obligations Document your decision. You should be able to either: a) identify the specific legal provision you are relying on or b) the source of advice/guidance which sets out your obligation. 3. Vital interests You can collect, use or share personal data in emergency situations, to protect someone’s life. Example: A colleague collapses at work, is unable to talk, and you need to tell a paramedic they have a medical condition. Common sense should prevail. Vital interest tips It’s very limited in scope, and should generally only apply in life and death situations. It should only be used when you manifestly can’t rely on another basis. For example, if you could seek consent, you can’t rely on vital interests. 4. Public task You can process personal data if necessary for public functions and powers that are set out in law, or to perform a specific task in the public interest. Most often this basis will be relied upon by public authorities and bodies, but it can apply in the private sector where organisations exercise official authority, or carry out tasks in the public interest. Public task tips If you could reasonably perform your tasks or exercise powers in a less intrusive way this basis won’t be appropriate. The processing must be necessary. Document your decisions, specify the task, function or power, and identify the statutory or common law basis. 5. Legitimate Interests This is the most flexible lawful basis, but don’t just assume what you’re doing is legit. It’s most likely to be appropriate when you use people’s data in a way they’d reasonably expect. Where there is minimal impact on them, or where you have a compelling justification. Legitimate interests must be balanced. You must balance the organisation’s interests against the interests, rights and freedoms of individuals. If your activities are beyond people’s reasonable expectations or would cause unjustified harm, their rights and interests are likely to override yours. Legitimate interests – when it isn’t legit Legitimate Interests tips Conduct and document a Legitimate Interests Assessment (LIA). This may be relatively simple and straight-forward, or more complex. Consider whether you can provide people with an easy way to object. This is not essential in all situations (e.g. fraud protection). Be open about where you rely on legitimate interests so its likely to be in people’s reasonable expectations. Remember to include what your legitimate interests are in your privacy notice. Check the ICO’s guidance on when legitimate interests can be relied upon for marketing activities. Important note: In June 2025 the UK Data (Use and Access) Act introduced a new lawful basis for processing into the UK GDPR. This lawful basis of ‘recognised legitimate interests’ can be relied up by organisations for specific purposes without being required to conduct a balancing test (i.e. a Legitimate Interests Assessment).  The list of recognised legitimate interests includes the following (and may be expanded): ■ Disclosures to public bodies, where it is asserted personal data is necessary to fulfil a public function. ■ Disclosures for national or public security or defence purposes, emergencies. ■ Disclosures for prevention or detection of a crime, and safeguarding vulnerable individuals. 6. Consent This is when you choose to give individuals a clear choice to use their personal details for a specific purpose and they give their clear consent for you to go ahead. The law tells us consent must be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes given by a ‘clear affirmative action’. Consent is all about giving people a genuine choice and putting them in control. They must be able to withdraw their consent at any time, without a detrimental impact on them.  Consent, getting it right. Consent tips: It should be clear what people are consenting to Consent shouldn’t be bundled together for different purposes, each purpose should be distinct It must not be conditional – people shouldn’t be ‘forced’ to consent to an activity as part of signing up to a service. Consent is unlikely to be appropriate where there may be an imbalance of power. For example, if an employee would feel they have no option but to give consent to their employer (or might feel they could be penalised for not giving it). The law sometimes requires consent. For example, under the electronic marketing rules consent is sometimes a requirement. In summary, consider all the purposes you have for processing personal data. Assign a lawful basis to each purpose and check you’re meeting the specific requirements for each basis. Tell people in your privacy notice the lawful bases you rely on, and specifically explain your legitimate interests. Finally, don’t forget, if you’re processing special category data (for example data revealing racial or ethnic origin, health data or biometric data) you’ll need a lawful basis, plus you’ll need to meet one of the conditions under UK GDPR Article 9.  For criminal convictions data you’ll need a lawful basis, plus one of the conditions under UK GDPR Article 10.

Privacy Notices Quick Guide The right to be informed All businesses need an external facing Privacy Notice, aka Privacy Policy, if collecting and handling people’s personal information. Data protection law tells us we must provide people with easily accessible and specific privacy information when we collect their data. This guide sets out the key considerations and core requirements our Privacy Notices.