Principles of the General Data Protection Regulation

The General Data Protection Regulation, aka the GDPR, is EU data protection law outlining the obligation to protect people and the processing of their personal data. Following Brexit, the UK GDPR has retained most of the EU GDPR - so it’s still relevant law. 

Article 5 of the GDPR highlights the 7 main principles relating to the processing of personal data - these are explained below:

1. Lawfulness, fairness and transparency - personal data shall be processed lawfully and fairly and in a way which is transparent to the person who’s data it is  

2. Purpose limitation - personal data shall be collected only for a specific purpose, data unrelated to this purpose shall not be collected 

3. Data minimisation - data shall be limited to what is necessary

→ purpose limitation and data minimisation read together essentially mean that personal data should be collected for a specific reason and the amount of data collected should only be enough to meet this purpose and no more 

4. Accuracy - data shall be accurate and up to date

5. Storage limitation - personal data shall not be kept longer than needed to process the data for the specific purpose it was collected for 

6. Integrity and confidentiality - personal data shall be processed in a way which is secure from unlawful processing, accidental loss or damage

7. Accountability - the agency/ body that determines the purposes and means of the processing shall be held responsible for complying with principles 1-6