GDPR Principle 6: Integrity And Confidentiality

What is the sixth of the seven data processing principles outlined in GDPR?

The sixth principle of data processing is integrity and confidentiality.

Based on the principle of data integrity and confidentiality, organizations must do what’s necessary to protect and safeguard the personal data they collect.

This principle is closely linked to the obligation of ensuring appropriate security measures are implemented to protect against accidental loss, damage or unauthorized use of personal data.

GDPR text on integrity and confidentiality 

Article 5 of GDPR provides that personal data shall be:

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

What does the principle of integrity and confidentiality mean?

The principle of data integrity and confidentiality pretty much means that organizations must protect the data and keep it secure at all times.

The text of GDPR states that companies should make use of “appropriate technical and organisational measures” to protect the integrity and confidentiality of data in their possession.

To comply with this obligation, companies must have a good understanding of how they are collecting data, where the data is stored, who manipulates or processes data and how is it ultimately destroyed.

What should companies do to comply with data integrity and confidentiality principle?

To make compliance as simple as possible, companies should split up their tasks into three categories:

  1. Data discovery
  2. Remediation plan
  3. Ongoing monitoring

Data discovery

Data discovery means understanding what data you collect, process and store.

To assess what your company needs to do to comply with GDPR, you first need to understand where you stand.

During the data discovery phase, you’ll define the type and nature of personal data you’ll investigate in your organization.

You will then locate that data across your entire organization and assess where the personal data is stored.

You’ll then create an inventory of who is using, accessing and processing the personal data within the organization.

Once the data discovery is done, you’ll have a map of the personal data activities and processes of your organization.

The next step is to determine any remediation plan as needed.

Remediation plan

The remediation plan is how your company will address compliance gaps with respect to data integrity and confidentiality.

Are there areas in your business that are exposed?

Are the tools used by your organization effective to achieve your compliance goals?

Are the policies and procedures adequate enough or do they need to be enhanced?

Are you encrypting data after the purpose of the data collection and processing has been achieved?

Ongoing monitoring

Ongoing monitoring is to implement processes allowing the organization to regularly validate its compliance.

Collecting, processing and storing data is an ongoing process and today’s compliance assessment may not be relevant six months from now.

It’s important for companies to continually remain “in the know”.

By adopting monitoring tools and practices, companies can demonstrate and prove their diligence to provide the necessary safeguards and security measures to protect the integrity and confidentiality of the personal data they collect.

What does appropriate technical and organizational measures mean?

What does appropriate technical and organizational measures mean exactly?

Concretely, it means that companies should think about the following:

  • Perform a data risk assessment 
  • Consider appointing a data protection officer 
  • Have an internal team tasked to ensure privacy matters
  • Devise and implement procedures to protect data privacy
  • Work on developing a company culture to protect privacy
  • Make sure the tools you use afford sufficient protection and security
  • Implement measures to continually track your company’s security standards
  • Find ways to remediate any vulnerabilities
  • Continually strive to make your processes and organization better and safer

These are just a few points for you to consider.

At the end of the day, your efforts must lead to protecting and safeguarding personal data in your possession.

How to assess the appropriate level of security to protect personal data?

There is no cookie-cutter approach to defining the right level of security measures to protect personal data.

Companies must evaluate their unique set of circumstances, the purpose for which data was collected, the nature and type of data they access, the sensitivity of the data and the potential harm on individuals in the event of a security breach.

Based on the case-by-case assessment of the data sensitivity and potential adverse consequence on individuals, companies must implement all reasonable measures to mitigate that risk.

Data anonymization and pseudonymization

When companies collect and process personal data, there is no debate that proper security measures must be taken during the collection and processing stages of data handling to protect the personal data.

Security does not end there.

Once data is stored, it must remain protected. 

One way you can comply with the data integrity and confidentiality obligation is to anonymize and pseudonymize the personal data once the purpose of the processing has been fulfilled. 

Companies should be mindful of who may have access to stored data and evaluate the possibilities of a security breach.

Data privacy impact assessment 

A data privacy impact assessment or DPIA is an investigation designed to help companies identify and mitigate data protection risks.

GDPR requires that companies perform a data privacy impact assessment when there is a likelihood of high risk to an individual’s personal data.

By performing a DPIA, companies can document and identify their security risks and vulnerabilities.

As a result, they can implement and adopt measures to mitigate those risks.

If a high level of risk is identified and that risk cannot be mitigated, companies should not process personal data.


GDPR imposes important obligations on companies and individuals who collect personal data to protect the integrity and confidentiality of the data.

This obligation stems from the sixth obligation outlined in Article 5 of GDPR.

Protecting the integrity and confidentiality of personal data is to ensure that the data is safe and secure at all times.

After all, data security, safety and confidentiality represent the pillars of the privacy obligations of GDPR.

To comply with the principle of preserving data integrity and confidentiality, companies must adopt all the necessary organizational and security measures to achieve this objective.

If companies are unable to adequately protect and safeguard personal data, they must not collect, store or process data as they will put data subjects directly at risk of harm.

Companies can generally prove their compliance with this principle by demonstrating that they have assessed their business, mapped out how personal data flows through their organization and identified and rectified any security vulnerability or gaps.

For more content on the GDPR principles, read our post titled What Are The 7 Principles of GDPR?