Data Privacy Principles

The six principles of data privacy

To help achieve successful compliance, the GDPR highlights six key principles. Here we take a look at each principle and explain what each means.

1. Lawfulness, fairness and transparency

This principle states individual personal data processing is lawful, fair and transparent.

The Data Controller must explain in a clear, concise, transparent and easy to understand manner, how data is processed. Furthermore, the concept of fairness implies processing matches the original intention.

Finally, lawfulness means that processing must meet the tests as stated in the GDPR [article 5, clause 1(a)]:

2. Purpose limitations

According to this principle, Data Collectors and Data Processors collect personal information ‘for specific explicit and legitimate purposes', and do not process it in an incompatible manner.

This means personal data processing is limited to the original purpose. Processing for any other purpose, or at a later stage, is not permissible without further legal permission from the data subject.

3. Data minimisation

Only processing personal data that is ‘adequate and relevant’. Collection is limited to what is necessary in relation to the original purposes of use. Therefore, Data Processors cannot gather data for possible future use, or use it for creating detailed customer profiles, unless it serves a lawful purpose.

Data minimisation follows from the purpose limitation principle and makes it clear that companies have to gather enough data to achieve their purpose from the very beginning, but not more than is necessary.

4. Accuracy

As was the case with the Data Protection Act, the principle of accuracy aims to maintain high standards of data quality. This means personal data must be accurate and periodically checked to keep it up-to-date.

5. Storage limitations

One of the most important principles enshrined in GDPR is that of personal information, which must be ‘kept in a form which permits identification of data subjects for no longer than is necessary, for the purposes for which the personal data are processed.’

Business owners must periodically review and evaluate the data they hold. Methodical cleansing to remove data no longer required should be discarded responsibly.

6. Integrity and confidentiality

This principle is particularly important for Data Processors, failing to observe it can attract punitive fines. It states that ‘personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’

The application of this principle is a key change in the GDPR. In the wake of high profile data breaches and ever-growing data security risks, Data Processors must focus attention here.

Data Controllers and Processors must conduct risk assessments and implement a robust data security policy. They must also observe the GDPR’s strict breach reporting provisions. High profile data breaches can cause significant embarrassment and expense.


For further help the ICO has produced ‘Preparing for the GDPR: 12 steps to take now to help organisations on how to address the key issues.’  You can also refer to this Whitepaper – GDPR – What you need to know… which includes FAQs and lots of other straightforward guidance.

Also, to help SMEs prepare we have a Whitepaper: GDPR for small businesses. This provides a full overview together with some helpful information and practical steps for working towards compliance. To access this Whitepaper Sign Up to Gravicus Osprey where you will also get
5 Free Data Protection Impact Assessments (DPIAs) with Osprey DPIA as well as access to our Resource Centre.


Telephone: 0203 858 0636

Email: info@


Simply smart data management with Osprey