The GDPR: Understanding Data Protection Principles
Updated: August 2025
The GDPR (General Data Protection Regulation) outlines seven data protection principles that summarise its many requirements. While the first six guide data handling, the seventh, accountability, is the overarching principle requiring you to take responsibility for and be able to demonstrate compliance with the others.
These are essential resources for those trying to understand how to achieve compliance. Small organisations, which often lack the resources to appoint data protection experts to guide them through compliance, may find them particularly useful.
We take a look at each principle in this blog and provide advice on how they should fit within your GDPR compliance practices.
Key Takeaways
• Principles as a Guide: The six core principles, Lawfulness, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, and Integrity & Confidentiality, provide a complete framework for compliant data processing.
• Accountability is Active: The seventh principle, Accountability, is not passive. It requires you to actively implement appropriate measures and maintain records to demonstrate your adherence to the other principles.
• Security is Explicit: The principle of ‘Integrity and Confidentiality’ explicitly calls for security measures. This means protecting data from breaches and accidental loss using methods like encryption and access controls.
1. Lawfulness, fairness and transparency
The first principle is relatively self-evident: organisations need to make sure their data collection practices don’t break the law and that they aren’t hiding anything from data subjects.
To remain lawful, you need to have a thorough understanding of the GDPR and its rules for data collection. To remain transparent with data subjects, you should state in your privacy policy the type of data you collect and the reason you’re collecting it.
2. Purpose limitation
Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
Processing that’s done for archiving purposes in the public interest or for scientific, historical or statistical purposes is given more freedom.
3. Data minimisation
Organisations must only process the personal data that they need to achieve its processing purposes. Doing so has two major benefits.
First, in the event of a data breach, the unauthorised individual will only have access to a limited amount of data. Second, data minimisation makes it easier to keep data accurate and up to date.
4. Accuracy
The accuracy of personal data is integral to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
5. Storage limitation
Similarly, organisations need to delete personal data when it’s no longer necessary.
How do you know when information is no longer necessary? According to marketing company Epsilon Abacus, organisations might argue that they “should be allowed to store the data for as long as the individual can be considered a customer.
So the question really is: For how long after completing a purchase can the individual be considered a customer?”
The answer to this will vary between industries and the reasons that data is collected. Any organisation that is uncertain how long it should keep personal data should consult a legal professional.
6. Integrity and confidentiality
This is the only principle that deals explicitly with security. The GDPR states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
The GDPR is deliberately vague about what measures organisations should take, because technological and organisational best practices are constantly changing.
Currently, organisations should encrypt and/or pseudonymise personal data wherever possible, but they should also consider whatever other options are suitable.
7. Accountability
This final principle underpins all the others. It states that the data controller is responsible for, and must be able to demonstrate, compliance with the other six principles. It’s not enough to simply follow the rules; you must be able to prove that you are following them.
In practice, this means implementing a framework of governance and documentation. This includes:
• Maintaining records of all data processing activities.
• Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing.
• Appointing a Data Protection Officer (DPO) where required.
• Having clear internal data protection policies and providing staff training.
• Implementing “data protection by design and by default,” which means building data protection measures into your systems and processes from the very start.
Frequently Asked Questions (FAQs)
1. What does the ‘Accountability’ principle mean in practice? It means you must document the steps you take to comply with the GDPR. This includes maintaining records of processing activities, conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, and having clear internal policies that staff must follow. It’s about creating a paper trail that proves you’re responsible.
2. How do we determine how long to store personal data? The ‘Storage Limitation’ principle requires you to define and justify your data retention periods. This isn’t a one-size-fits-all answer. Your retention period should be based on the specific purpose for which you collected the data. For example, warranty periods, legal requirements, or the typical customer lifecycle in your industry can help you set a reasonable timeframe. You must document these periods in your retention policy.
3. Are encryption and pseudonymisation mandatory? The GDPR requires “appropriate technical or organisational measures” for security. While it doesn’t explicitly mandate encryption or pseudonymisation in every case, they are listed as prime examples of appropriate measures. For sensitive data or high-risk processing, failing to use them would be very difficult to justify. The key is to assess the risk and apply security measures that match that level of risk.