What Are The 7 Principles of GDPR? (All You Need To Know)

What are the 7 principles of GDPR?

Article 5 of the General Data Protection Regulation outlines the 7 principles of GDPR organizations should adhere to when processing personal data.

To comply with the GDPR data collection, storage and processing obligations, companies should implement and adopt these seven principles so data subjects are given the proper protection and comfort as it relates to their personal data.

Let’s look at the text of GDPR and then look at each of the seven principles one by one.

What is data protection principles?

Data privacy and data protection are highly complex.

Data protection laws also govern in most cases technological means of processing personal data.

Since technology advances at speeds no law can ever aspire to achieve, legislators must find ways to adopt laws ‘guiding’ people and organizations as opposed to being granular and highly specific.

This is where we get to data protection principles.

Data protection principles are guidelines provided by GDPR to steer organizations in the right direction and to help companies make the right decision about their data protection and privacy operations.

For example, the law states that companies must follow the principle of data mimisation.

What can this principle mean concretely?

The answer will vary per organization.

The objective here is to collect only the strict minimum of personal data necessary to achieve the processing objective.

Drawing the line between what’s the necessary minimum and what exceeds the necessary minimum will depend on the circumstances, the organization and the underlying facts.

What are the 7 principles of GDPR?

The General Data Protection Regulation or GDPR provides for 7 key principles with respect to data protection and privacy:

  1. Lawfulness, fairness and transparency 
  2. Purpose limitation
  3. Data minimisation 
  4. Accuracy 
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

GDPR data protection principles 

Article 5 of GDPR lays out the principles based on which organizations must collect, use and process personal data.

Article 5(1) of GDPR outlines 6 of the 7 principles.

Personal data shall be: 

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

Article 5(2) of GDPR outlines the 7th principle:

  1. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)

Principle 1: Lawfulness, fairness and transparency

Article 5(1) refers to the principle of lawfulness, fairness and transparency by stating that personal data should be:

processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)

The principle of lawfulness, fairness and transparency means that all data collection, storing or processing should:

  1. Be lawful and respect the terms of GDPR
  2. Be processes fairly where you keep the promises you give to the individuals with whom you collect, store and process data
  3. Be transparent with the data subjects as to the purpose of data collection and use

Lawfulness 

For the processing of personal data to be lawful, organizations must outline the purpose and grounds for which personal data needs to be processed.

When there is no purpose for collecting, storing or processing personal data, then handling the personal data will be considered unlawful.

If personal data was unlawfully collected, data subjects have the right to demand the erasure of the data and restrict further processing of the personal data.

Fairness 

For the data collection, processing and storage to be fair, it means that customers and data subjects should have a reasonable expectation as to the purpose of the data collection.

Data subjects expect that the processing of their personal data be consistent with what they agreed to and handled in such a way that it does not cause them any harm or prejudice.

Transparency 

The notion of transparency is closely linked to the notion of fairness.

To collect, store and process in a transparent way means that organizations must be truthful about how their personal information will be used.

When you tell data subjects what information you will collect, what you will do with it and how it can benefit the data subjects, they can give you free and clear consent.

Otherwise, if you are not transparent, the data subject’s consent may not be valid in the circumstances.

Principle 2: Purpose limitation

Article 5(1) refers to the principle of purpose limitation by stating that personal data should be:

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)

The principle of purpose limitation requires that you inform data subjects as to why you need to collect, store and process their personal data in a specified, explicit and legitimate way.

Organizations should not collect personal data for any purposes other than for which the data subject had approved.

By calling out the purpose of your personal data collection activities, individuals can make informed decisions about authorizing you to collect, store and process their personal data.

By clearly explaining the purpose of use, organizations can effectively build a level of trust with their clients and prospects.

Principle 3: Data minimisation 

Article 5(1) refers to the principle of data minimisation by stating that personal data should be:

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

For the principle of data minimisation, you must only collect the personal data that you legitimately need to render the services to your clients.

Organizations should evaluate what information they absolutely require to render their services and ensure they notify data subjects to that effect and limit their data collection strictly to that.

The data miminisation principle along with data accuracy and data storage are the three principles related to data standards.

With respect to data minimisation, organizations should make sure they do not collect data more than what is truly needed to effectively render their services.

To properly evaluate the proper threshold of data needed to be collected, companies should assess their data collection activities holistically.

By understanding your purpose, the nature and type of data needed to achieve your purpose, companies can then limit the data collection, storage and processing to that purpose only.

Principle 4: Accuracy 

Article 5(1) refers to the principle of accuracy by stating that personal data should be:

“accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)

The accuracy principle is the second principle with respect to data standards next to data minimisation and storage limitation.

When collecting, storing and processing personal data, organizations must ensure that the data is accurate and kept up-to-date. 

If the information on a data subject is old or outdated, organizations should exercise a reasonable effort in ensuring that their information is up-to-date. 

Data accuracy is closely linked with the individual’s right to have the data held about them rectified.

If data about a person is inaccurate or not up-to-date, individuals have the right to either complete the information or request that the information is erased.

Principle 5: Storage limitation

Article 5(1) refers to the principle of storage limitation by stating that personal data should be:

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)

The storage limitation principle is the third principle relating to data standards next to data accuracy and data minimization.

The principle of storage limitation is to ensure that personal data is kept in a form which permits the identification of data subjects and is stored for no longer than it is necessary.

To store the information for only the amount of time that it is necessary means that companies should adopt a data retention policy to manage their data retention obligations.

GDPR does not provide any specific rules as to how long data can be stored based on the different types of data companies can collect.

Organizations will need to assess their need and determine what is the appropriate retention period allowing them to remain in compliance with GDPR.

What’s certain is that GDPR does not allow companies to hold personal for long after the purpose of the data collection, storage and processing has been fulfilled. 

If personal data is kept after the purpose has been achieved, companies must be able to justify the lawful grounds based on which they are maintaining the data.

Principle 6: Integrity and confidentiality

Article 5(1) refers to the principle of integrity and confidentiality by stating that personal data should be:

processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

This principle is quite important to safeguard personal data.

Ensure data security 

The principle of data integrity and data confidentiality are tied to how organizations ensure the security of the personal data they collect.

Companies must make sure that personal data they collect, store and process are handled securely and with appropriate security measures.

To mitigate potential harm to data subjects, companies should anonymize or pseudonymize personal data to protect the personal data in their possession.

Implement state of the art technologies 

Article 32(1) of GDPR provides additional guidance with respect to the security standards applicable to personal data:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Based on this article, companies must consider the state of the art, the cost of implementation along with the risks and the potential consequence on data subjects to define the proper security measures intended to protect personal data.

GDPR requires that companies implement security measures to protect the privacy and confidentiality of personal data during the entire data handling cycle from the collection, processing all the way to data storage and destruction.

What is the appropriate level of security 

GDPR does not define with precision what is the level of integrity and confidentiality measures companies should strive for.

It’s difficult to include specific security standards in law as technology and security standards evolve quickly.

Companies must evaluate the appropriate level of organizational security and measures in light of their realities, the sensitivity of the data collected and the purpose of their collection activities.

Principle 7: Accountability

Article 5(2) refers to the principle of accountability by stating that personal data should be:

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)

The seventh principle of accountability means that companies must take measures and implement governance policies and practices to comply with the terms of GDPR.

Companies must be able to show to data protection authorities or data subjects the measures, policies and practices they’ve implemented showing their commitment to comply with the 7 principles of GDPR.

Many companies have used their obligation of accountability as a competitive advantage.

Showing you take individual privacy seriously is important in the technological economy of the 21st century.

By showing you are responsible, individuals, clients, customers and prospects will have the comfort to know that their information is in good hands and that if something were to happen, you will assume the responsibility.

Why the GDPR principles are important?

Data privacy and data protection is an ever-evolving process.

Companies must protect personal data and their ability to do so is evaluated based on their organizational capacity, technological means and tools available to market participants.

Rather than defining specific data privacy rules, GDPR outlines 7 principles guiding companies on how to protect personal data and all processes involving data collection, storing and processing.

Complying with GDPR is therefore an ever-evolving process.

Companies must continually evaluate and re-evaluate their data collection, storing and processing activities to ensure that they comply with the spirit of the seven principles.

If at any point in time, the company does not demonstrate compliance with these principles, they may be in breach of their GDPR obligations.

Consequences of not respecting the 7 GDPR principles?

Companies subject to GDPR can face important sanctions and consequences in the event they are found to violate GDPR.

GDPR states that the infringement of the baseline principles for processing personal data is subject to the highest level of administrative fines.

Article 83(1) of GDPR states:

Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive

Violations to the principles of Article 5 must be sanctioned by administrative fines that will be effective, proportionate and dissuasive. 

Article 83(5)(a) of GDPR states: 

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

GDPR imposes much stricter administrative fines for violations of Article 5 and can go up to 20,000,00 EUR or in the case of companies or 4% of their worldwide annual turnover.

Takeaways

These 7 principles of data protection regulation in Europe are key for organizations to comply with.

Since its adoption, GDPR has become the global reference as it relates to data protection and data privacy.

The 7 principles of GDPR relating to data collection, storage and processing are:

  1. Lawfulness, fairness and transparency 
  2. Purpose limitation
  3. Data minimisation 
  4. Accuracy 
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Individuals and organizations processing personal data of the European Union’s data subjects must comply with GDPR and with the seven guiding principles.

GDPR allocates a higher level of importance to the compliance with these principles as data protection authorities are given powers to issue stricter administrative fines for violations to the data processing guiding principles of Article 5 of GDPR.

These are not just theoretical concepts academics love to write about.

Failing to comply with these guiding principles can have dire, severe and concrete repercussions on organizations both financially and reputationally.

Have you implemented these guiding principles in your organization?

We would love to hear from you!

Drop us a comment!