CALL US 1-888-553-2256

EU GDPR Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

Understanding 6 key GDPR principles

Author: Punit Bhatia

The new General Data Protection Regulation (GDPR) states that processing of all personal data should be aligned with the principles defined in the regulation. As part of the effort to implement the regulation, it is important to understand key GDPR principles that are stated in Articles 5-11 of the GDPR text. As these principles form the basis of the GDPR requirements, let us understand what they are.

Lawfulness of processing

The companies that process personal data are expected to do so in a lawful manner. Now, what does this mean? Lawful means that all processing should be based on a legitimate purpose. GDPR lists six legitimate purposes, and processing of personal data must be linked to one of these.

1) Purpose limitation. Processing of personal data must be limited to the legitimate purpose for which that personal data was originally collected from the data subject. This effectively forbids the processing of personal data outside of the legitimate purpose for which the personal data was collected.

2) Data minimisation. When collecting data, only the personal data absolutely required for that purpose may be requested. This means that no data other than what is necessary can be requested, or stored. This is of significance when your company is analysing data. It will be important to limit the analysis of data to a set of anonymised data, or to a set of data for which consent has been obtained or there is a clear legitimate processing purpose.

3) Accuracy. Personal data of data subjects must always be accurate and kept up to date. This is simple and straightforward, meaning that controllers are asked to ensure that data is kept accurate, and data subjects can update their data when required.

4) Integrity and confidentiality. Personal data must be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing. Also, controllers must ensure that data cannot be modified by unauthorised persons.

5) Storage limitation. Personal data should be retained only while necessary. That is, personal data should be deleted once the legitimate purpose for which it was collected has been fulfilled. This is not simple, and needs to be determined in line with applicable laws that may sometimes require personal data to be retained for a longer period than the originally envisaged processing purpose.

6) Fair and transparent. GDPR asks that all personal data processing should be fair; that is, companies do not perform processing that is not legitimate. Also, companies should be transparent regarding the processing of personal data, and inform the data subject in an open and transparent manner. This means that personal data should be processed if, and only if, there is a legitimate purpose for the processing of that personal data. EU GDPR requires companies to practice transparency so that data subjects will be sufficiently informed regarding the processing of their personal data.

Besides these principles, it is also important to understand how GDPR defines the data subjects’ rights, and the legal basis for processing – see these articles for detailed explanations:


The expectation that companies are fair, transparent and processing personal data lawfully eventually leads to accountability, which is a framework of self-discipline among companies. And, the responsibility to demonstrate compliance with this principle shall always rest with the controller. This means that the companies should be responsible in their actions relating to the processing of personal data, take ownership of what they do, and demonstrate evidence of all decisions made in the context of personal data processing. See the article Implementing three main accountability principles under EU GDPR.

To conclude, EU GDPR requirements are based on principles. These principles are centred around the concepts of accountability, and of the processing being lawful, fair and transparent. Also, there needs to be a focus on the purpose and storage limitations when considering minimisation of data. And, the integrity and confidentiality of personal data must be maintained always, while keeping the personal data accurate and up to date at all times.

Click here to read the full GDPR text to learn more about the key GDPR principles.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on EU GDPR regulations.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *

Andrei Hanganu
Lead EU GDPR Expert


Upcoming free webinar
How to integrate GDPR with ISO 27001
Wednesday – September 25, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.