7 principles of GDPR: An Overview

By now, you’ve probably come across GDPR a fair amount of times online and in the context of your own business activities. But how familiar are you with the 7 principles of GDPR that underpin the regulation itself? Read on to learn more about the 7 principles of the GDPR, how they govern the handling of personal data, and the practical implications for you and your business.

On this page, you’ll find:

What personal data is under the GDPR and why it's critical to protect it.
What the 7 principles of the GDPR are and why they are important.
A FREE downloadable step-by-step guide to storing and sharing GDPR-compliant files.

The concept of personal data is what forms the core of the GDPR. As a result, understanding what personal data under GDPR is (and what doesn’t qualify) is fundamental for your compliance journey.

This is also because if you are processing personal data under GDPR, you will be responsible for putting certain safeguards in place to keep that information safe by using principles of privacy by design. You need to understand the full scope of your duties and limitations towards personal data when it comes to how you handle the information throughout its whole life cycle.

Without further ado, Article 4 of the regulation defines personal data under GDPR as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

In other words, personal data is any bit of information which can help you identify a living individual. Examples of personal data include:

Names
Email addresses
Phone numbers
Home addresses
IP addresses
And more

On top of that, there are some types of personal data which are considered more sensitive than others. These are given special protection under the GDPR precisely because of their sensitive nature. Some examples of sensitive personal data under GDPR include:

Information relating to racial or ethnic origin
Information regarding sexuality or orientation
Biometric data
Medical/health records
Criminal records
Information relating to religious or spiritual beliefs and affiliations
Trade union membership
And more

Of course, there are many reasons that personal data should be protected. But some of the most important ones are the following: to protect the fundamental rights and freedoms of the individual in question, to prevent anyone from being discriminated against on the basis of their identity, and to make sure their personal information isn’t misused by third parties for fraud or identity theft for example.

Here are a few examples of what doesn’t qualify as personal data under GDPR:

Information about a deceased individual
General company email addresses like inquiries@company.com
Anonymized data
Information about legal entities such as companies or public authorities

Apart from understanding what personal data is, it’s also vital to understand the difference between being a data processor and a data controller, as that will also inform the responsibilities and limitations you have in terms of personal data. So here goes!

The data controller decides why and how personal data should be processed. So if your company is in charge of determining those processes, then you are the data controller, and employees processing personal data in your organisation need to adhere to the rules which apply to this category.

The data processor, on the other hand, only handles personal data on behalf of the controller. This is usually a third party contractor who is hired by the company to do something for them. When a company hires a third party which will process personal data for them, they need to agree in a legally binding contract how all parties will handle personal data.

Of course, due to the complexity of modern-day business operations, it is often the case that an entity is a data controller and a data processor too.

Article 5 of the GDPR lays out seven principles for the lawful processing of personal data which inform the entire regulation and provide the framework for compliance. Here are the 7 principles of GDPR:

Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability principle

The 7 principles of GDPR lie at the heart of the data protection regulation. This improved approach towards data protection marked a mindset shift which has fundamentally transformed the way that we manage personal information throughout the full lifecycle of the data, a change which continues to evolve on a global scale every year. Rather than a set of hard rules, they describe a data protection mentality which must be upheld, creating a wide umbrella of appropriate behaviours and a framework for compliance.

And of course, it’s worth knowing and following the 7 principles of GDPR because of the consequences of noncompliance. If you don’t demonstrate a willingness to follow this approach and your noncompliance is discovered, you can be subject to serious fines as well as financial loss from the damage to your brand’s reputation. According to the Article 83 of the GDPR, infringements of the principles of data processing are subject to the highest tier of administrative fines, which means that you could be fined up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.

Related reading:
Becoming GDPR compliant in 2021: beginners guide for SMEs

Rather than an exhaustive list of specific and exacting rules for every possible scenario, the GDPR lays out an umbrella approach to managing personal data in a fair, secure, and transparent way. The goal is to ensure that it is not misused by businesses and also that it does not fall into the hands of anyone who is not authorized to handle it.

As a result, the regulation is built on the following 7 key principles which aim to guide businesses when it comes to the thorny issue of managing personal data:

1. Lawfulness, fairness and transparency

“Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)” Article 5(1)(a) of the GDPR

This means that companies have to be totally upfront about what data they are collecting about you, why it’s being collected, and how it will be used. To clarify, for data collection to be legal, it must be completely transparent, so that customers know what they’re getting into. Lawfulness also refers to following regular legal obligations as well.

On a more practical level, this also means that your privacy and cookie policies need to be written in an easy to understand way (i.e. no overwhelming legal jargon) and customers need to have clearly visible options to opt in and opt out as they wish where processing is based on consent. Every-day examples of this kind of visibility are cookie policy pop ups when you visit a new website, or the handy little link at the bottom of an email newsletter which gives you an easy and quick way to unsubscribe if you’d prefer not to receive any more communications.

2. Purpose limitation

“Personal data shall be: (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.” Article 5(1)(b)

Purpose limitation is closely intertwined with the first principle of the GDPR, i.e. Lawfulness, fairness, and transparency. Basically, purpose limitation means that once you have identified and clearly expressed why you are collecting data, you can’t turn around and use it for something else all of a sudden. In order for customers to trust you, you need to stick with the purpose you’ve outlined, clearly communicate any changes, and make sure not to overstep those boundaries.

3. Data minimisation

“Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)” Article 5(1)(c)

Just as with purpose limitation, the purpose of data collection needs to be defined and limited, so does the actual amount of data within the data minimisation principle. This principle states that companies should figure out the absolute minimum amount of data they need to fulfill the purpose identified by the first principle. This principle also gives customers the right to request any data held on them, and request to be forgotten, i.e., that you erase their data.

4. Accuracy

“Personal data shall be: (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)” Article 5(1)(d)

As you can probably tell from all the principles leading to this one like purpose limitation and data minimisation, for a long time, there was a significant emphasis on gathering as much data as possible with little regard for controlling it and maintaining it in good condition. The Accuracy principle is in place to remind people that you need to do your best to ensure data accuracy, make updates and changes as necessary, be careful to state the source of the data in a clear manner, and figure out the right processes for reviewing data and updating it periodically.

5. Storage limitation

“Personal data shall be: (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);” Article 5(1)(e)

Instead of hoarding data which was done for years and does not serve individual rights, the purpose of data collection in the first, and the environment which ultimately pays the price for the online storage - you must delete data once you no longer need it. Of course, when it is no longer needed is up to you and how your business works, but it is another element (like the purpose for example) which needs to be identified and upheld from the outset.

This principle is part of the GDPR because deleting old and unnecessary data helps to ensure that the data that you do have is accurate, up to date, and less likely to fall into the wrong hands.

6. Integrity and confidentiality (security)

“Personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

This is what is known as the GDPR’s security principle. It mandates that you need to have appropriate safeguards in place to protect data from unauthorised access or loss. This principle is hugely important in the GDPR, as companies who do not comply with these requirements are more vulnerable to data breaches and hacker attacks.

If someone’s personal information is accessed by a malicious actor in this way, it can have dire consequences on their lives, ranging from public humiliation, to identity theft and fraud, all the way to literal life or death situations. One example of a technological measure the GDPR finds suitable for safeguarding personal data is encryption, a robust security method for making sure data is inaccessible to unauthorized parties. In fact, end-to-end encryption and zero knowledge proof are considered some of the best technical security measures to secure data in the cloud, which the European Data Protection Board affirmed in its recommendations for GDPR.

Related reading:
How to protect your privacy online: 5 actionable tips!

‍7. Accountability principle

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the other data protection principles].” Article 5(2)

This principle refers to the fact that you need to a) strive for GDPR compliance and b) clearly document your compliance journey and efforts. This is both to assure auditors and clients of your compliance, and ultimately gives you a competitive advantage over competitors who cannot do the same. And if anything does go south, demonstrating your commitment and efforts can reduce the consequences of noncompliance. For example, if you do opt to use end-to-end encryption as a technological safeguard, you wouldn’t normally need to inform the supervisory authority and the data subject of a data breach due to the fact that the accessed data would be illegible.

Learn more about end-to-end encryption:
What is Zero Knowledge Encryption and why you need it from the services you use

Closing thoughts

Familiarizing yourself with the 7 principles of GDPR and their implications for your business will make all the difference to your compliance journey moving forward.