GDPR Accuracy Principle: Accurate Personal Data in Practice

Wichtigste Erkenntnisse

• The accuracy principle requires organisations to ensure personal data is factually correct, contextually honest, and kept up to date throughout every stage of the data lifecycle.

• Accuracy is an ongoing obligation. It requires data validation, trained staff, correction mechanisms, and regular review to maintain accuracy across systems.

• To reduce compliance risks: validate at collection, conduct periodic reviews of high-risk datasets, enable easy rectification channels for individuals to request corrections, keep audit trails of every change, and periodically review your processes against evolving regulatory guidance.

• Inaccurate information creates legal exposure, erodes trust, causes financial harm, and leads to unfair decisions. Organisations that treat accuracy as an ongoing discipline will remain compliant while building stronger relationships with the individuals whose data they hold.

What does the GDPR accuracy principle require?

Personal data must be accurate and kept up to date per GDPR. Article 5(1)(d) states this directly: organisations that process personal data must take every reasonable step to erase or rectify inaccurate data without delay. The accuracy principle is one of the core data protection principles, sitting alongside lawfulness, fairness, transparency, purpose limitation, data minimisation, storage limitation, and integrity.

When personal data is wrong, real people suffer. A data subject can be refused credit because a repayment default was never cleared from their file. A job applicant can be mis-scored by a fraud detection system because of outdated data. A patient can be treated based on a diagnosis that was revised months earlier. These aren’t edge cases. They happen regularly, and they’re exactly the kind of harm the accuracy principle exists to prevent.

What is the legal definition of accuracy under GDPR?

Article 5(1)(d) mandates data accuracy and currency. Under EU GDPR and UK GDPR alike, personal data must be accurate and, where necessary, kept up to date. Organisations must take every reasonable step to ensure that inaccurate personal data, having regard to the purposes for which it is processed, is erased or rectified without delay.

• The UK Data Protection Act 2018 clarifies that “inaccurate” means incorrect or misleading as to any matter of fact. Data doesn’t need to be technically wrong to be inaccurate; if it creates a false impression, it fails the test.

• The accuracy principle applies to all personal data formats: CRM entries, HR records, scanned IDs, log files, AI training datasets, and profiling outputs.

• Personal data accuracy includes maintaining the accuracy of the source of the information. If the source is unreliable, the resulting data is suspect.

• “Data accuracy” under GDPR is distinct from broader data quality concepts like completeness or consistency. GDPR focuses specifically on factual correctness and currency.

• What counts as a “reasonable step” depends on the nature of processing, risk to individuals, source reliability, and how quickly the personal data typically changes. A bank verifying identity has higher obligations than a newsletter list.

What counts as accurate personal data in practice?

The accuracy of personal data depends on its purpose of processing. Accurate data correctly describes the individual’s identity, status, or circumstances for the specific purpose for which it’s being processed. A salary figure is accurate for the payroll month it covers. A shipping address is accurate if it’s the one the customer confirmed for that order.

• Factual accuracy covers objective facts: date of birth, bank account number, national insurance number. These are either correct or they aren’t.

• Contextual accuracy is more nuanced. “Current employer” is only accurate when accompanied by a clear date reference. A medical opinion recorded in 2021 is accurate as a historical record if it’s clearly timestamped, even if the diagnosis was later revised.

• Data can be factually correct but misleading. A complaint marked “open” when it was resolved in March 2024 is inaccurate in context. An old address shown as “current” on a credit check creates a false impression.

• Historical records remain accurate if clearly dated and labelled. Opinions must faithfully reflect what was said, by whom, and when. Scientific or historical research data may retain entries that are outdated in absolute terms, provided they’re contextualised.

• Data minimisation directly supports accuracy. Collecting fewer, relevant attributes reduces the surface area for errors and makes maintaining accurate data more manageable.

When and how does personal data become inaccurate?

Personal data constantly drifts out of accuracy. People move house, change surnames, switch jobs, repay loans, close complaints, receive updated diagnoses. Without active maintenance across the data lifecycle, what was correct at collection becomes outdated data.

• Common causes include human error at data entry (a mis-typed IBAN during a payroll run), system integration mismatches during mergers, unverified third-party data feeds, and unmaintained marketing databases where contact details grow stale over years.

• Inaccurate data can lead to financial loss for individuals. A tenant denied housing because a credit file still shows a default that was repaid two years ago. Incorrect data may cause denial of essential services, such as an airline passenger wrongly matched to a no-fly list.

• Emotional distress can result from disputes over inaccurate records. Errors in data can lead to unfair decisions affecting individuals, and inaccurate data undermines trust between individuals and organisations.

• The ICO reprimanded West Midlands Police in March 2024 after the force repeatedly merged the records of two people with the same name and date of birth between 2020 and 2022. One was a victim of crime and the other a suspect, and the mix-up led officers to visit the wrong address over a safeguarding concern and to visit the wrong person’s child’s school. In Lithuania, the State Data Protection Inspectorate fined the Vilnius City Municipality Administration €15,000 in 2020 for failing to ensure the accuracy of personal data while processing adoptive parents’ records, after a system update replaced an applicant’s contact details with those of a biological parent.

• IBM has documented cases where poor data quality caused significant operational losses, including Unity Technologies, which reported approximately USD 110 million in lost revenue in 2022 after faulty data ingestion corrupted the datasets used to train its advertising machine learning models. The risks of inconsistent data and inaccurate inputs are financial, legal, and reputational.

How does the accuracy principle apply in day-to-day operations?

Organisations must implement data validation mechanisms during collection and apply the accuracy principle at every stage of personal data processing: onboarding, KYC, HR, marketing, support, risk scoring, and AI pipelines.

• At collection, use structured forms with data validation rules (email format checks, date-of-birth constraints, country-specific address formats), drop-down menus instead of free text, and confirmation screens where individuals review their entries. Clear instructions help individuals provide accurate data at the point of entry.

• Data must be verified against reliable sources before use. For high-risk data processing activities such as credit decisions, immigration cases, or large payouts, cross-check against official registers or request documentary evidence. Flag unusual entries for manual review.

• Organisations must implement processes for data quality controls on an ongoing basis. Periodic reviews of key datasets (customer master, payroll, patient records) catch drift. Automated reminders prompt users to confirm contact details. Self-service portals let data subjects update their own information directly.

• To avoid misleading records, add timestamps, status fields, and clarifying notes. A complaint record should show “resolved on 12 March 2024” rather than leaving the status ambiguous. Correct data includes context that prevents false impressions.

• For SMEs using common tools like Salesforce, HubSpot, or Workday, data validation processes can include validation plugins, mandatory fields, periodic list cleaning, and deduplication routines. These are appropriate processes that don’t require extreme measures or enterprise-grade budgets.

What rights do data subjects have linked to the accuracy principle?

The accuracy principle requires that individuals are able to challenge and correct their data. The right to rectification under Article 16 allows every data subject to request corrections.

• Individuals can request correction of inaccurate personal data. Organisations must respond to rectification requests within one month. The right to rectification applies to all personal data formats, whether digital records, paper files, or algorithmic outputs.

• Individuals can challenge inaccuracies through various accessible channels: web forms, dedicated email addresses, or postal addresses. Making these channels visible and easy to use is a baseline expectation.

• Data processors must act on requests to correct inaccurate or incomplete data without undue delay. If the controller has shared the data with third parties, organisations must notify third parties of corrected data where feasible.

• Individuals have the right to challenge the accuracy of their data, including opinions and historical records. When a data subject challenges a recorded opinion or an old entry, the controller should add the individual’s challenge or updated context to the file rather than simply deleting legitimate historical data.

• At GDPRLocal, we help clients design rectification workflows, draft response templates, and define decision criteria for evaluating whether data is indeed inaccurate. This documentation supports accountability when regulators ask how correction mechanisms work.

What organisational responsibilities support data accuracy?

Under Article 5(2) GDPR, accountability means controllers must not only follow the accuracy principle but demonstrate it through documented policies, defined roles, and clear records.

• A concise data accuracy policy should define what “accurate” means for each data category, list acceptable sources, set verification rules, and establish risk-based review frequencies. Customer addresses might be reviewed annually. Contractor job titles might be checked every six months.

• Assign clear ownership: data stewards or system owners for each dataset, with DPO oversight. Each business unit should know who can approve corrections and who maintains master records.

• Role-based training ensures frontline staff understand how to capture accurate data, flag suspected inaccuracies, and respond to data subject challenges. This is an organisational measure that directly reduces compliance risks.

• Organisations should document every correction made to personal data. Audit trails that record the old value, new value, date, user, and source of change support incident investigations and regulatory queries. Data must be reviewed regularly to maintain accuracy.

How does accuracy affect automated systems and AI-driven decisions?

Automated decision-making systems depend on accurate data for lawful outcomes. A credit scoring engine trained on outdated data will systematically deny loans to qualified applicants. A CV screening tool fed with inconsistent data will produce discriminatory patterns at scale.

• Inaccurate inputs in automated systems can cause systematic denial of services, skewed risk scores, or biased patterns affecting thousands of individuals before anyone detects the problem.

• The ICO’s guidance on accuracy and statistical accuracy distinguishes between data protection accuracy (factual correctness) and statistical accuracy (model performance metrics). Both matter. GDPR’s accuracy principle requires that inferences be labelled as such and be challengeable.

• Technical controls for AI systems include validating data pipelines at ingestion, monitoring for concept drift, periodically retraining with refreshed datasets, and maintaining human review for edge cases. These controls support data integrity across AI and privacy requirements.

• GDPRLocal’s AI governance services help clients test datasets for errors and bias, establish retraining schedules, and match their data processes to both GDPR and emerging AI regulation.

How can organisations demonstrate compliance with the accuracy principle?

Regulators expect evidence, not just policy documents. Organisations must demonstrate compliance with data accuracy requirements through controls, monitoring, and corrective actions.

• Organisations should document rectification requests and actions taken, including reasons for declining a requested correction. Maintain records of data sources and verification checks conducted on personal data collected from third parties or public sources.

• Set simple, measurable KPIs: duplicate record rate, undeliverable email percentage, number of corrections per 1,000 records, mean time to rectify inaccurate data. Conduct periodic reviews to ensure data held in key systems remains current.

• Regular audits help identify outdated or incorrect personal data. Integration with Records of Processing Activities, DPIAs for high-risk processing, and vendor contracts that commit processors to support accuracy creates a coherent compliance framework.

• GDPRLocal can perform a structured accuracy gap analysis, delivering a prioritised action plan that SMEs can implement over three to six months. This helps reduce compliance risks and builds confidence with supervisory authorities.

How should accuracy be balanced with other data protection principles?

Maintaining accurate personal data must be balanced against purpose limitation, data minimisation, and storage limitation. These GDPR principles work together, and tension between them is normal.

• Organisations should not collect data they don’t need under the pretext of “keeping things accurate.” Excess data is harder to maintain and more likely to become inaccurate. Only collect what serves a lawful basis and legitimate purposes.

• Storage limitation directly supports accuracy. Data must not be kept longer than necessary under GDPR. Keeping outdated data indefinitely means stored data will inevitably become misleading. Clear retention schedules and deletion routines help delete inaccurate data and prevent unlawful processing of records that no longer reflect reality.

• Apply a risk-based approach. A bank performing KYC must verify identity documents and ensure personal data is updated regularly. A low-risk newsletter list may accept lighter checks. Healthcare providers retain diagnoses for statistical purposes and historical research but mark them with date and source.

• For example: verify ID for KYC but don’t store full document scans longer than a legal obligation requires. Periodically review marketing databases and purge records for data subjects who haven’t engaged for 24 months. Keep archived employee records for public interest or legal compliance, but label them clearly so historical records don’t mislead.

Contact GDPRLocal to discuss Article 27 representation, outsourced DPO support, GDPR and AI accuracy audits, or to review your current data accuracy controls. Whether you need to process personal information for EU, UK, or Swiss individuals, we can help you ensure data quality across your operations and demonstrate accountability to regulators.