The GDPR Data Protection Principles

The GDPR has 7 Data Protection Principles which all organisations should become familiar with.

Learn More!
Lockboxes, referring to protecting something

Data Protection Principles

Under GDPR, the seven primary information and data protection principles are:

  1. Purpose - its clear why you need the data
  2. Lawfulness, fairness and transparency – be clear, open, honest and fair about using personal data
  3. Data Minimisation - data is minimal, adequate and limited to its purpose
  4. Data Accuracy - data is correct and up to date
  5. Storage Limitation - erase when you don’t need it
  6. Integrity and Confidentiality - you keep it safe and ensure you don’t lose it
  7. Accountability - you take responsibility and you can prove it

Our Erudite GDPR Solution provides a self-service page for Subject Access Requests or Help Desk based portal for your staff to take requests and record them.


Purpose is about explaining what data you need and why it's necessary to collect it. It is not acceptable to harvest or collect more data than you need.

  • Personal data must be collected for specific and defined legitimate purposes, you will need to justify it and record that.
  • The data can only be used (processed) for the reason you gave when you collected it.
  • Additional further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is permitted in certain circumstances.

Our Erudite GDPR Solution enables you to document purpose, legal basis, data retention and more.

Lawfulness, fairness and transparency

Personal Data must be processed lawfully, fairly and transparently, this is done by identifying the legal basis for GDPR, documenting it and communicating it to data subjects.

Remember these facts:

  • You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
  • You must ensure that your use of personal data is not in breach of any other laws.
  • You must use personal data in a way that is fair*.
  • You must be clear, open and honest with people from the start about how you will use their personal data.

*Fair use of data means you must not process the data in a way that is unduly detrimental, unexpected or misleading You must have told the individual exactly what you plan to do with that data.

Our Erudite GDPR Solution enables Data Subjects to Raise their own Right of Access Request on our portal or they can be stored via our Portal by your team.

Data minimisation

Personal data must be adequate, relevant and limited to what is necessary for the purposes in which it is processed. It must be just enough to do the job you need to do but not more.

You must ensure the personal data you are processing is:

  • Adequate – sufficient to properly fulfil your stated purpose
  • Relevant – has a rational link to that purpose; and
  • Limited to what is necessary – you do not hold more than you need for that purpose.

Data accuracy

As a principle, Personal data must be accurate and kept up to date if relevant. While GDPR does not define accurate, The Data Protection Act 2018 says that ‘inaccurate’ means incorrect or misleading.

The right to erasure applies if:

  • Take reasonable steps to ensure the accuracy of any personal data
  • Ensure that the source and status of personal data is clear
  • Carefully consider any challenges to the accuracy of information; and
  • Consider whether it is necessary to periodically update the information

The GDPR principle includes a proactive obligation to take reasonable steps to delete or correct inaccurate personal data. The GDPR does not explicitly distinguish between personal data that you create and personal data that someone else provides.

Storage limitation

The core of this principle is - You must not keep personal data for longer than you need it!

You must be able to justify the data retention period you apply to personal data – the best place to do this is your policy which defines data retention periods. It's advisable to periodically, such as annually to review the data you hold and erase or anonymise it.

  • You need to think about and justify how long you keep personal data. This will depend on your purpose.
  • You need a policy setting retention periods wherever possible, to comply with documentation requirements.
  • You should periodically review the data you hold, and erase or anonymise it when you no longer need it.
  • You must carefully consider any challenges to your retention of data. Individuals have a right to erasure.
  • You should periodically review the data you hold, and erase or anonymise it when you no longer need it.

Our Erudite GDPR Solution enables you to record your retention periods, justify it and receive reminders to review them.

Integrity and confidentiality

Known as the Security principle, integrity and confidentiality cover how you protect personal data. Personal Data shall be processed in a manner that ensures appropriate security of the personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Why should we worry about losing personal data?

When a fraudster has personal data, it makes them more convincing when they impersonate an individual or trick an individual into believing they are someone they’re not, such as your bank manager. If lost, an individual could be subject to:

  • Identity, credit card or mortgage fraud
  • Witnesses put at risk of physical harm or intimidation
  • Offenders at risk from vigilantes
  • Exposure of the addresses of service personnel, police and prison officers, and those at risk of domestic violence
  • Fake applications for credit

What should you do?

  • Build an Information Security Policy
  • Train Staff and build awareness continually
  • Use principle of least privilege – if you don’t need access for your job, you don’t get access
  • Think carefully where you leave data – this includes printouts on a desk or passwords on a post it note
  • Keep in mind that data must be accurate, if you suspect its source is questionable or if it looks wrong, do something about it.


The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.

You must have appropriate measures and records in place to be able to demonstrate your compliance. Use audits to help you achieve this.

Some measures that you can, and in some cases must, take include:

  • Implementing and adopting data protection policies
  • Taking a ‘data protection by design and default’ approach
  • Written contracts in place with third parties that process personal data on your behalf
  • Maintaining documentation of your processing activities
  • Implementing appropriate security measures
  • Recording and, where necessary, reporting personal data breaches
  • Appointing a Data Protection Officer

Putting in place a solution that helps you be compliant and manage the day to day tasks of complying with GDPR helps demonstrate your committment. Read more about our GDPR Solution .

Try Erudite for free.

Our Free Trial gives full access to the functionality for a time limited period so you can fully explore our GDPR Solution called Erudite. Our no obligation Free Trial will let you see how our GDPR solution can add value to your business and make compliance with GDPR simpler and less daunting.

Let's Get Started!