Latest updates
19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.
At a glance
- The UK GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
- These principles should lie at the heart of your approach to processing personal data.
In brief
- What are the principles?
- Why are the principles important?
What are the principles?
Article 5 of the UKGDPR sets out seven key principles which lie at the heart of the general data protection regime.
Article 5(1) requires that personal data shall be:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Article 5(2) adds that:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
For more detail on each principle, please read the relevant page of this guide.
Why are the principles important?
The principles lie at the heart of the UKGDPR. They are set out right at the start of the legislation, and inform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime - and as such there are very limited exceptions.
Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice. It is also key to your compliance with the detailed provisions of the UKGDPR.
Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.
FAQs
Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability. These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation.
What are the principles of data protection guidelines? ›
These principles include: transparency, lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
Which are the 4 basic principles of data privacy? ›
At a glance
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality (security)
- Accountability.
A business dealing with the processing of personal data is legally obligated to comply with the 7 personal data protection principles. The principles are the General Principle, Notice and Choice Principle, Disclosure Principle, Security Principle, Retention Principle, Data Integrity Principle and Access Principle.
What are the 8 rights of data protection? ›
The GDPR has a chapter on the rights of data subjects (individuals) which includes the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated ...
What is the 8 general data protection regulation? ›
Article 8 of the UK GDPR applies where you are offering an information society service (ISS) directly to a child. It does not require you to always get consent for the processing of children's personal data in this context, but if you choose to rely on consent it sets out further conditions as follows: “1.
What are three key principles of data protection? ›
Lawfulness, Fairness and Transparency
To ensure adherence to the law, you must have a deep appreciation of the GDPR and its principles surrounding data collection. To ensure transparency with data subjects, you must outline in a privacy policy the sort of data you gather, and why you are gathering this data.
What is the first data protection principle? ›
What is the first principle about? The first data protection principle says that any processing for the law enforcement purposes must be lawful and fair. Lawfulness and fairness are well established requirements of data protection law.
What is principle 7 of the data protection Act and how can it be avoided? ›
7Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
How many principles of data protection are there? ›
The GDPR sets out seven principles for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.
What is a Data Protection Policy? A Data Protection Policy is a statement that sets out how your organisation protects personal data. It is a set of principles, rules and guidelines that informs how you will ensure ongoing compliance with data protection laws.
What are the 5 pillars of compliance to the data privacy Act? ›
To ensure data privacy, there are 5 main pillars of data privacy which include: appointment of a data protection officer, conducting of privacy impact assessment (PIA), formulation of a privacy management program (PMP), execution of data privacy and protection measures, and preparation of data breach management ...
What is the key requirement in general principle? ›
General Principle: A data user must not process personal data about a data subject unless the data subject consents to the personal data processing, or explicitly consents to the processing of sensitive personal data (Section 6, PDPA).
Why are the 7 principles of GDPR important? ›
The principles lie at the core of the GDPR and data privacy laws. They provide guidance for everyone who is required to be GDPR compliant. They also provide clarity for the expectations of EU residents as to how their data should be processed.
What is principle 6 of the data protection Act? ›
What is the sixth principle about? “Appropriate security” includes “protection against unauthorised or unlawful processing and against accidental loss, destruction or damage”.
What are the main points of the data protection Act 1998? ›
Under the Data Protection Act, individuals have a right to ask whether you are processing their personal data, for a description of their personal data, and the purpose it is held for, a description of who (people/organisations) might see their personal data and for a copy of the information.
What are the 3 principles of the Data Privacy Act? ›
Principles of Transparency, Legitimate Purpose and Proportionality. The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.
