Latest updates
19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.
At a glance
- The UK GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
- These principles should lie at the heart of your approach to processing personal data.
In brief
- What are the principles?
- Why are the principles important?
What are the principles?
Article 5 of the UKGDPR sets out seven key principles which lie at the heart of the general data protection regime.
Article 5(1) requires that personal data shall be:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Article 5(2) adds that:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
For more detail on each principle, please read the relevant page of this guide.
Why are the principles important?
The principles lie at the heart of the UKGDPR. They are set out right at the start of the legislation, and inform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime - and as such there are very limited exceptions.
Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice. It is also key to your compliance with the detailed provisions of the UKGDPR.
Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.
FAQs
The five key principles of data protection are lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy and storage limitation; and security and confidentiality.
What are the 5 data protection principles? ›
Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability.
Which of the following are correct data protection principles select 3? ›
The following is a brief overview of the Principles of Data Protection found in article 5 GDPR: Lawfulness, fairness, and transparency: Any processing of personal data should be lawful and fair.
What is principal 4 of the data protection principles? ›
What are principles three, four and five about? The third principle requires that the personal data you are processing is adequate, relevant and not excessive. This means the data must be limited to what is necessary for the purpose(s) you are processing it. The fourth data protection principle is about accuracy.
Which data protection principles require that data is processed in a manner that? ›
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').
What are the 7 principles of data security? ›
If your company handles personal data, it's important to understand and comply with the 7 principles of the GDPR. The principles are: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability.
What are the 7 golden rules of data protection? ›
Necessary, proportionate, relevant, accurate, timely and secure. Check these key words. Is it the right information for the purpose?
What are the 4 key areas of data protection? ›
Data minimisation. Accuracy. Storage limitation. Integrity and confidentiality (security)
What is data protection principle 4 security of personal data? ›
Principle 4 – security of personal data
Data users must take appropriate security measures to protect personal data. They must ensure that personal data are adequately protected against unauthorized or accidental access, processing, erasure, or use by other people without authority.
What are the 8 key principles of data protection? ›
What Are the Eight Principles of the Data Protection Act?
- Fair and Lawful Use, Transparency. The principle of this first clause is simple. ...
- Specific for Intended Purpose. ...
- Minimum Data Requirement. ...
- Need for Accuracy. ...
- Data Retention Time Limit. ...
- The right to be forgotten. ...
- Ensuring Data Security. ...
- Accountability.
Broadly, the seven principles are :
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality (security)
- Accountability.
Data are sensitive and must therefore be protected and kept confidential. We must ensure that the privacy and confidentiality of data subjects is protected throughout the full data lifecycle. Those providing data should be made aware of confidentiality procedures and rights at point of collection.
What are the three types of data protection? ›
Some of the most common types of data security, which organizations should look to combine to ensure they have the best possible strategy, include: encryption, data erasure, data masking, and data resiliency.
What are the five key aspects of the data protection Act? ›
There are five key data protection principles that organizations must adhere to: lawful, fair, and transparent processing; purpose limitation; data minimization; accuracy; and storage limitation.
How many data protection principles are there in total? ›
Six Data Protection Principles (DPP)
Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user. Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred.
