What Are The 6 Principles of GDPR? + The 7th principle

Johannes Eyolf Aagaard 22 March, 2024

Introduction

With its 11 chapters and 99 articles, navigating the EU's GDPR regulation may seem daunting. It can be challenging to determine where to start and end to ensure all aspects are covered.

Fortunately, it's not necessary to memorise every article to ensure your business complies with the regulation. Article 5 provides a clear overview of how personal data should be treated. This is done through seven overarching principles. These principles act as a summary of the entire regulation. With subsequent requirements building upon them. This doesn't mean one should rely solely on Article 5, but it serves as an excellent starting point. This applies to implementing GDPR, updating existing implementations, or educating employees about GDPR. The seven principles offer valuable support for both large and small businesses. Targeting all companies required to comply with the GDPR regulation. This article will focus on Article 5 and the seven overarching principles described therein. To make the principles practically relevant, the article will also include examples. Examples of how you can work with each principle in practice.

Do you want to learn more about GDPR? Then you can find our complete guide here: Everything you need to know about GDPR.

Need help with your GDPR compliance? Start using Privacy today. It's free and without obligation.

What are the 7 principles of GDPR?

As mentioned, the seven principles are found in Article 5. Fundamentally, six principles are listed in the first subsection, a to f. And the seventh principle is found in the second subsection. The overall purpose of these principles is to ensure that as a business processing personal data, this is done with respect and security. So that the data subjects can trust their data is in good hands.

In GDPR, there are several documentation requirements you must meet, including:

Keeping a record of your processing activities.
Documenting which parties you share data with.
Conducting risk assessments of the data subjects' personal data.
Maintaining a GDPR calendar.
Documenting policies and procedures related to data protection.

The purpose of these documentation requirements is to ensure you can document compliance with the principles. This will be elaborated further in the seventh principle.

Principle 1: Lawfulness, fairness, and transparency

The first principle covers three fundamental areas you must comply with:

Lawfulness: The processing of personal data you conduct must have a legal basis. This means you must have a valid legal basis for processing the personal data. These legal bases can vary and be obtained in different ways. The essential part is ensuring that the processing has a valid legal basis. The legal bases are specified in GDPR Article 6. And a supplementary legal basis required for processing sensitive information (e.g., health information) is found in Article 9. Consider which legal bases are relevant for the people you process data about. And to the processing purpose. Example of lawfulness: When you send a newsletter to your customers, the recipients must have given their consent for you to send them this newsletter. The consent becomes your legal basis (Article 6, paragraph 1, letter a). In this case, you must also ensure that the data subject has the opportunity to withdraw their consent. And if this happens, you no longer have a legal basis for the processing.
Fairness: You must treat the data subject's data fairly. This means that you are responsible for the personal information and cannot disclose it inappropriately. Example of fairness: Ensure that the places where you store personal data are secure. Follow recognised best practices for security measures, both technical and organisational.
Transparency: The data subject must be able to gain insight into which personal data you process about them and the purpose thereof at any time. The information must be clear and understandable, without being complicated or unclear. This is no matter if you are processing contact information or health information on the data subject. Example of transparency: Ensure you inform the data subjects in clear and easy-to-understand language. Not filled with legal terms. Inform about what personal data you process about them and why. This information should be easily accessible to the data subject. Often through privacy policies, which are available on the website (e.g., for customers) and on an intranet (e.g., for employees).

Principle 2: Purpose Limitation

Purpose limitation is fundamental to GDPR. It's key for handling personal data both securely and responsibly. This principle appears in Article 5, section 1, letter b. Data must be collected only for clear, explicitly stated, and legitimate reasons. Businesses need a definite, lawful aim when collecting personal data. Furthermore, processing later on should not stray from these initial reasons.

Take, for example, an educational institution collecting student information. This might cover names, addresses, and educational histories. These details are valid for sending course information and updates. However, using this data for third-party marketing without clear consent breaches the purpose limitation principle. This case underscores the need for openness in data collection and use. It ensures activities align closely with agreed purposes.

Strict adherence to the purpose limitation principle signals your company's dedication to data protection. It builds trust and security in relationships with users or customers. This principle is vital. It's essential not only for complying with GDPR but also for enhancing your reputation as a responsible data handler.

Principle 3: Data Minimisation

Data minimisation stands as a crucial GDPR principle. It requires that data collection and processing be "adequate, relevant, and limited to necessities for the processing purposes". This principle is articulated in Article 5, section 1, letter c. It promotes the careful and judicious management of personal data, ensuring only essential information is collected.

This implies a "need-to-have" approach in your company. Especially when gathering customer or user data. Suppose your business deals in online sales and delivery. Collecting the customer's name, address, and payment details is necessary to complete transactions and deliver goods. Collecting extra information, like birthdates or hobbies, isn't required unless it's relevant to the service.

An event planning app asking for contact access serves as a good example. It might find value in obtaining user location data to suggest nearby events. Yet, this goes against the data minimisation principle if such data isn't vital for the app's main function. By soliciting and keeping only indispensable data, the app adheres to the data minimisation principle. This shows respect for user privacy.

Principle 4: Accuracy

The principle of accuracy is central to GDPR. Emphasising the importance of ensuring that personal data are accurate and, where necessary, kept up to date. Article 5, section 1, letter d, mandates that "every reasonable step must be taken" to ensure that personal data that are inaccurate, considering the purposes for which they are processed, are erased or rectified without undue delay.

An example of applying this principle occurs when a customer changes their address. If the company sends invoices or important notices by post, it's crucial that the customer's address information is updated. And that it is accurate to prevent misunderstandings or loss of important correspondence. In such cases, the company has a responsibility to update the address in their systems promptly upon being informed of the change. This might involve a system allowing customers to update their information. This could be via a user portal or a process where customer service updates the information after receiving a request from the customer.

Additionally, it's vital for companies to implement internal control measures. So they regularly verify the accuracy of stored personal data. For example, an annual review of customer data could help identify and correct any inaccuracies. This might be as simple as an email prompting customers to confirm or update their details.

Principle 5: Storage Limitation

The storage limitation principle in GDPR highlights the need to keep personal data no longer than necessary. It applies to the purposes for which data were collected. This principle is detailed in Article 5, section 1, letter e. It states personal data should not be kept in identifiable form beyond the required period. Yet, there are exceptions. Data can be kept longer if used only for archiving, public interest, scientific research, or statistics. This is in accordance with Article 89(1). For this to happen, safeguards must be in place. These safeguards protect the rights and freedoms of the data subjects.

Consider an online retailer as an example. This retailer stores customer data for order fulfilment and support. The retailer must delete or anonymise personal data after fulfilling the order. This should also happen once warranty or return periods end. Such actions turn personal data into anonymous information. Consequently, this removes the data from GDPR's reach.

It's vital to have a clear deletion or anonymisation policy. This policy should specify how and when to handle data. Following the storage limitation principle is key. It reduces data breach risks. It also safeguards privacy by keeping only necessary data for the required time.

Principle 6: Integrity and Confidentiality

The principle of integrity and confidentiality is crucial for personal data protection under GDPR. It requires processing personal data securely. This includes defending against unauthorised or illegal processing. It also covers protection from accidental loss, destruction, or damage. This is achieved through technical or organisational measures. The principle is outlined in Article 5, section 1, letter f. It emphasises the importance of guarding personal data against any threats. Such threats could harm the data's integrity and confidentiality.

Consider a health app as an example. This app gathers and stores users' sensitive health information. To align with integrity and confidentiality, the app needs strong encryption. This encryption protects data as it's sent. The app must also set up access controls. These controls ensure only allowed staff can view user health details. Measures might include multi-factor authentication for all. Regular checks on who has access rights help too. This prevents unauthorised entry.

By applying these security steps, the app meets GDPR requirements. It also boosts user confidence. Users feel their personal and sensitive data is treated with maximum care and protection.

Principle 7: Accountability

The accountability principle is central to GDPR. It demands that data controllers adhere to and prove adherence to all GDPR principles. Article 5, section 2, lays out this requirement. It compels businesses to actively ensure and record that personal data processing is lawful.

A solid internal data protection policy helps businesses meet this principle. Such a policy could encompass frequent audits and staff training on data protection. It also involves detailed logs of who accessed data and how it was handled. For instance, an e-commerce site might implement strict access and encryption measures. These measures protect customer information. The site would also log all data transactions and access. It's crucial that employees handling personal data receive training on these policies and procedures.

Obtaining certifications like ISO 27001 boosts accountability. This certification is a globally recognised standard for information security management. It not only confirms GDPR compliance but also reflects a commitment to high security standards.

Designating a Data Protection Officer (DPO) is another step towards accountability. The DPO monitors GDPR adherence, offers best practice advice, and liaises with regulatory bodies and data subjects.

Accountability in GDPR requires a comprehensive data protection strategy. This includes implementing and documenting effective security measures. Doing so shows a business's commitment to protecting data. And it ensures transparency and security in data processing practices.

How can the .legal platform Privacy help comply with the seven principles?

At .legal, we've developed the compliance platform Privacy. It will assist you with your documentation on how to comply with GDPR. Including the seven overarching principles.

The platform essentially guides you through the seventh principle, "Accountability". Helping you identify which information needs to be documented to be GDPR-compliant. Privacy also enables you to record:

Your Article 30 records, for an overview of the company's data processing activities. (Read more: How to make data mapping simple)
How long you store data.
Which security measures you've implemented to protect personal data.
A risk module, to assess potential areas for security enhancement. (Read more: How to make a GDPR risk assessment and What is a Risk Assessment Matrix?)
A annual wheel and task management, which can be used to plan how to comply with the seven principles.
And much more - read more about the software in general here

If you're looking for a helping hand, you can start using the Privacy platform for free today. It takes only two minutes, requires no credit card, and comes with no obligation.