How Many Data Protection Principles Are There?
The data protection principles are laid out and explained in Article 5 of the UK GDPR. These principles are the backbone of data protection, outlining the essentials to being compliant with GDPR when handling data, and your approach to processing personal data should be intrinsically tied to these principles.
So just how many principles are there? And what do they entail?
This article will explain it all.
So, to answer the question in the title, there are 6 data protection principles. This is then underpinned by another rule that should be followed. Because of this, they are sometimes referred to as the 7 principles of data protection, however, technically, there are only 6 principles.
Outlined in Article 5(1) of the UK GDPR, the 6 data protection principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Outlined in Article 5(2), these principles are underpinned by:
(Although accountability is not technically a principle of the law, it is sometimes classed as a 7th principle).
Now, let’s explore the 6 data protection principles in more detail.
1) Lawfulness, Fairness & Transparency
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’); - Information Commissioner’s Office
The first principle defines that data should be processed lawfully, fairly and transparently.
The data must be collected and processed on valid grounds (also known as a lawful basis), and the data should not be used for anything that breaks any laws (lawful). It must also be used in a way that does not unfairly affect the individual, such as by misleading them (fair). Finally, from the start of the process to the end, the data handler must be entirely open and honest about how the personal data is being used (transparent).
2) Purpose Limitation
“(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);” - Information Commissioner’s Office
The second principle defines that the use of data should be limited to the initial intended purposes.
This means being transparent and explaining from the start what the intended purposes are for using this data, and not straying from these purposes when using the data. This includes keeping a specific record of the intended purpose.
There are circumstances where you may be allowed to use the data for other purposes. These circumstances are:
- The new purpose is relevant to the initial purpose
- You receive new consent from the individual for the new purpose
- There is a legal obligation that requires you to use the data for a new purpose
- Archiving purposes that are in the public interest
- Purposes for historical or scientific research
- Statistical purposes
3) Data Minimisation
“(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);” - Information Commissioner’s Office
The third principle defines that the minimum amount of data required to carry out the intended purpose should be identified prior to collection, and then only this data is collected and processed.
This is an area where we see companies collecting far more data than they actually need on a regular basis. Website contact forms are a great example. For a contact form, you typically only need:
That’s because the “purpose” of the contact form is to enable and encourage people to contact you. Once you’re in a conversation with the user and they transition from being an “enquiry” to a “lead” or “customer”, you can ask for additional information as part of the client onboarding process.
However, it’s not uncommon to see contact forms which attempt to acquire all information from the outset. We’ve even seen some forms asking for date of birth information via the contact form!
Another benefit of asking for less information is that it can actually increase your conversion rates. So, when done right, it can be a win-win scenario for everyone.
Regular data audits are an important step to help ensure you’re only ever asking for personal data that you absolutely need. Check out our data mapping infographic explaining why knowing what data you have and why you have it is so important.
“(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); - Information Commissioner’s Office
The fourth principle defines that an effort should be made to ensure the data you store or process is accurate and up to date.
If information is misleading or incorrect, every measure should be taken to update and correct it, or to have it redacted and erased. For example, if someone has moved house, it may be necessary to update the data you hold to reflect their new location.
However, when a scenario such as this occurs, you also need to remember to consider the other principles. For example, if they have moved address and the last contact you had with them was (for example) 3 years ago then you may need to re-evaluate whether you actually have a legitimate interest in updating their address, or whether you should, in fact, remove their details from your database.
Another area to consider is notes applied manually to a customer's record. This includes identifying whether something is an opinion and, where necessary, outlining whose opinion it is and what the actual facts are.
5) Storage Limitation
“(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);" - Information Commissioner’s Office
The fifth principle defines that data should not be stored for longer than is required for the intended purposes.
The length of time the data is kept should be identified and justified prior to collection, with it then not being held for longer than this time period. This should be regularly reviewed, erasing data where appropriate, plus individuals have the right to request erasure of their data if you no longer need it.
Exceptions to this include:
- Archiving data for purposes in the public interest
- Archiving data for scientific or historical research purposes
- Archiving data for statistical purposes
These exceptions are subject to safeguards that may be required to protect the individual, such as anonymisation or pseudonymisation.
6) Integrity & Confidentiality (Security)
“(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” - Information Commissioner’s Office
The sixth principle defines that data should be processed with integrity and should have the optimum protection from unauthorised access, ensuring it remains confidential where appropriate.
The necessary security measures should be in place to ensure data in your possession isn’t compromised accidentally or by an unauthorised person, be that lost, altered or deleted.
These measures you can take can include analysis of risk, adopting organisational security policies, and physical and technical protective measures.
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” - Information Commissioner’s Office
Finally, these principles are underpinned by accountability; you must be accountable and responsible for compliance with the UK GDPR and its principles. It is on the data holder to ensure measures are taken to protect data.
The measures you can take include:
- Having data protection policies
- Having contracts and keeping records with external organisations who manage data for you
- Maintaining records of your data processing activities
- Having necessary data security measures
- Recording and reporting personal data breaches
- Assessing data protection impact for use of personal data where there are risks to the individual
- Having a dedicated data protection officer
- Signing up to certification schemes and following codes of conduct where necessary
If good data protection practices aren’t demonstrable, you may be at risk of fines and negative reputational consequences.
Why Are The Data Protection Principles Important?
These principles set out a guideline for what you should be doing when collecting, handling and processing data. They are hugely important and influence the entirety of the general data protection regime.
They outline the essentials of good data protection practice and are key to complying with UK GDPR.
Again, failure to comply with the GDPR can result in heavy fines and penalties, as well as the risk of mishandling and compromising data.
Who Is Responsible For Ensuring GDPR Compliance Within An Organisation?
In small companies it often falls to the company directors to ensure that their organisation is GDPR compliant. However, within larger organisations you may find a dedicated person assigned to a role as a Data Protection Officer (DPO). The DPO is responsible for managing all areas of GDPR compliance including defining the data protection approach, strategy and implementation.
We actually provide a dedicated course which provides an overview for the role and responsibilities of a Data Protection Officer.
Ready To Learn More About GDPR?
With the principles of data protection covered, hopefully you’re in a better position to ensure you’re GDPR compliant. Although you can never know too much about the ins and outs of GDPR.
Why not check out our GDPR Toolbox? A set of practical tools to help you manage your data protection challenges.
Or maybe you’re relatively new to the world of GDPR. Take a look at our GDPR for Beginners course to learn all you need to know about data protection and complying with these principles.