UK General Data Protection Regulation (UK GDPR)

Data protection principles under the UK GDPR


The UK General Data Protection Regulation (UK GDPR) sets out seven key principles which underpin the UK data protection regime.

1. Lawfulness, fairness and transparency principle

To comply with the first principle, you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject. This means you must:

  • identify valid grounds for collecting or using personal data - known as the lawful basis
  • ensure that your use of data doesn't breach any other laws
  • use data in a way that is fair, ie not detrimental, unexpected or misleading to the individuals concerned
  • be clear, open and honest with people about how you will use their personal data

2. Purpose limitation principle

To comply with the second principle, you must only collect personal data for a specific, explicit and legitimate purpose. This means you must:

  • be clear about what your purposes for processing are from the start
  • record your purposes as part of your documentation obligations
  • inform individuals about your purposes to comply with transparency obligations
  • ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent

3. Data minimisation principle

To comply with the third principle, you must ensure that the personal data you are processing is:

  • adequate - sufficient to properly fulfil your stated purpose
  • relevant - has a rational link to that purpose
  • limited to what is necessary - you do not hold more than you need for that purpose

4. Accuracy principle

The accuracy principle requires you to take all reasonable steps to:

  • ensure the personal data you hold or process is not incorrect or misleading
  • ensure that the source and status of personal data are clear
  • consider any challenges to the accuracy of information
  • consider if it is necessary to periodically update the information

5. Storage limitation principle

To comply with the storage limitation principle, you must not keep personal data for longer than you need it. You must also:

  • think about - and be able to justify - how long you keep the data depending on the purpose you need it for
  • set a retention policy or schedule wherever possible, to comply with the documentation requirements
  • periodically review the data you hold, and erase or anonymise it when you no longer need it
  • carefully consider any challenges to your retention of data, for example when it comes to erasure

6. Integrity and confidentiality (also known as the security principle)

To comply with security requirements, you must have appropriate security measures in place to protect the data you hold. This means protecting the data:

  • against unauthorised or unlawful processing
  • against accidental loss, destruction or damage
  • using appropriate technical or organisational measures

7. Accountability principle

The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. You must have appropriate measures and records in place to be able to demonstrate your compliance.

Following these seven principles is essential to good data protection practice. It is also fundamental to compliance with the provisions of the UK GDPR. Failure to comply with the principles may leave you open to substantial UK GDPR penalties and fines.

This guide does not constitute legal advice and is provided for general information purposes only.