General Data Protection Regulation (GDPR)

Data protection principles under the GDPR


Data protection principles underpin the new General Data Protection Regulation (GDPR). These principles set out obligations for businesses and organisations that collect, process and store individuals' personal data.

Six principles for processing of personal data

The GDPR outlines six data protection principles you must comply with when processing personal data. These principles relate to:

  • Lawfulness, fairness and transparency - you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject.
  • Purpose limitation - you must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose.
  • Data minimisation - you must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose.
  • Accuracy - you must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month.
  • Storage limitation - You must delete personal data when you no longer need it. The timescales in most cases aren't set. They will depend on your business' circumstances and the reasons why you collect this data.
  • Integrity and confidentiality - You must keep personal data safe and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. See GDPR and security.

Read more about the data protection principles under the GDPR.

Accountability principle under the GDPR

Accountability is a new principle under the General Data Protection Regulation. It focuses on two key elements:

  • your responsibility to comply with the GDPR
  • your ability to demonstrate compliance

Measures to help you meet the accountability requirement may include, for example:

  • implementing data protection policies and security mechanisms
  • agreeing data protection contracts with third-party processors
  • documenting your processing activities
  • recording and reporting, where necessary, of personal data breaches
  • carrying out data protection impact assessments
  • appointing a data protection officer

Read more about accountability under the GDPR.

What is the GDPR deadline?

The GDPR came into force across the European Union on 25 May 2018. You can use our GDPR compliance checklist to work through the steps involved in complying with the new regulation.

This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.