What are the data protection principles?
The data protection principles are the seven core rules at the heart of the UK's data protection laws, especially the UK GDPR and the Data Protection Act 2018. They shape how you must process personal data.
Personal data is any information that can be used to identify a living person. This includes obvious details like names, email addresses, and information related to racial or ethnic origin. Any activity involving this data (like collecting, storing, using, or deleting it) is called 'processing'.
The principles provide a framework rather than specific rules for every situation. You must be able to show that your business follows these principles in all its data processing activities.
The accountability principle
The accountability principle holds organisations responsible for what they do with data and how they comply with the other data protection principles. It's not enough to just follow the rules; organisations must be able to show (or 'demonstrate') that they’re following them. This involves:
-
appointing a data protection officer (DPO) who is responsible for ensuring data protection compliance in a business
-
keeping a record of data processing activities (including why the data is processed, how long data will be retained for, and with whom data will be shared)
-
having relevant policies in place (eg data retention policies, Information security policies, and privacy notices)
-
documenting when data will be shared with third parties (eg using a Data processing agreement)
-
carrying out Data protection impact assessments (DPIAs) for any processing that is likely to result in a high risk to individuals
The lawfulness, fairness, and transparency principle
Organisations need to ensure that personal data is processed fairly, lawfully, and in a transparent manner. This principle has three parts:
Lawfulness
Organisations must have a valid legal reason (ie a 'lawful basis') to process the data. Common examples include getting the consent of the data subject (ie the individual the data relates to) or having a legitimate interest. If an organisation processes special category sensitive personal data (eg information about racial/ethnic origin, health, sexual life, or biometrics) or criminal offence data (eg criminal convictions and offences or related security measures), it must meet extra, stricter conditions. For more information, read Processing personal data.
Fairness
Organisations must process data fairly. This generally means that it must be processed in ways people would reasonably expect and not use it in a way that has an 'unjustified adverse effect' on them. Organisations should consider:
-
how personal data is obtained - if people are deceived or misled when the personal data is obtained, this is likely to be unfair
-
how the data processing affects the interests of the people concerned (individually and as a group) - data obtained and used fairly in relation to most of the data subjects, but unfairly in relation to one data subject, there may still be a breach of this principle
-
whether any negative effects are justified - personal data may at times be used in a way that negatively affects an individual without this necessarily being unfair, provided that such a detriment is justified
Transparency
Organisations must be clear, open, and honest with people from the start about how and why their data is being used. This information must be easy to understand and tell people things like who the organisation is, its reasons for processing, the lawful basis, how long the data will be kept, and what the person's rights are (eg the right to have inaccurate data corrected, data erased, or to object to the use of data). A Website privacy policy can provide this information.
The purpose limitation principle
Organisations must only collect personal data for specified, explicit, and legitimate purposes. They must not process that data later in a way that is incompatible with those original purposes. In practice, organisations must:
-
be clear from the start why they're collecting personal data and what they intend to do with it
-
document their purposes (as part of their accountability obligations)
-
inform individuals about their purposes (as part of their transparency obligations)
-
ensure that any new or additional use is fair, lawful, and transparent
If an organisation wants to use the data for a new purpose, it must check if that new purpose is compatible with the original one. Processing for public interest archiving, scientific or historical research, or statistical purposes is generally considered compatible.
To decide if another new purpose is compatible, an organisation must assess:
-
any link between the original and new purposes
-
the context the data was collected in (eg what would the person reasonably expect?)
-
the nature of the personal data (eg is it sensitive?)
-
the possible consequences of the new processing for the person
-
if there are safeguards in place (like encryption or anonymisation)
If the new purpose is not compatible, the organisation will need to get the data subject’s consent for the new use or have a clear legal provision that allows it.
The data minimisation principle
Organisations must only collect and process personal data that is adequate, relevant, and limited to what is strictly necessary for their stated purpose. To break this down, the personal data an organisation holds must be:
-
adequate - meaning it's sufficient to properly fulfil the purpose (eg not holding so little data that it's inaccurate)
-
relevant - meaning it has a rational link to that purpose
-
limited to what is necessary - meaning organisations must identify the minimum amount of data they need and not hold any more than that
This is the 'less is more' principle. Organisations shouldn't collect data just in case it might be useful one day. They should also periodically review the data they hold and delete anything that's no longer needed.
The accuracy principle
Organisations must take all reasonable steps to ensure the personal data they hold is accurate and, where necessary, kept up to date. Under the UK GDPR, data is inaccurate if it's incorrect or misleading as to any matter of fact. This means organisations must:
-
accurately record data when they first receive it
-
ensure the source and status of the data are clear
-
have processes to update or correct data 'without delay' when an inaccuracy is found
-
carefully consider any challenge from an individual about their data's accuracy (this is known as the 'right to rectification')
It's important to distinguish between facts and other types of information:
-
opinions - a record of an opinion isn't inaccurate just because the person disagrees with it. However, the record must clearly state that it is an opinion and not a fact
-
mistakes - if a mistake is made (eg a penalty is issued and later refunded), the record should accurately reflect the sequence of events (eg that the penalty was imposed and then refunded) rather than simply deleting the mistake, as this provides a true historical record. The key is that the record must not be misleading
The storage limitation principle
Organisations must not keep personal data in a form that identifies people for longer than is necessary for the purpose for which it was originally collected. They cannot keep data indefinitely, ‘just in case'.
Organisations must be able to justify how long they keep data. This means they should set clear retention periods (eg in a Data retention policy) and review them regularly.
Once the purpose is finished and the retention period expires, the data must be securely deleted or anonymised. If data is fully anonymised (so an individual cannot be identified), it's no longer personal data, and this rule doesn't apply.
The only exception for keeping personal data longer is if it's held solely for public interest archiving, scientific or historical research, or statistical purposes. If an organisation uses this exception, it must have appropriate safeguards in place (like pseudonymisation) to protect the individuals.
For more information, read Data retention and document destruction.
The integrity and confidentiality (security) principle
Organisations must process personal data in a way that ensures its security. This is a core principle, meaning organisations must have appropriate technical and organisational measures in place to protect the data. This includes protecting it from unauthorised or unlawful processing and from accidental loss, destruction, or damage.
What's appropriate depends on the organisation's circumstances, the data it's processing, and the risks involved.
Organisational measures
Organisational measures are about the policies, procedures, and people within a business. They include:
-
making and maintaining internal policies (eg an Information security policy or a Bring your own device (BYOD) policy)
-
providing regular data protection and security training for all staff
-
having clear access controls so employees can only access the data they need for their job
-
managing suppliers and data processors to ensure they also have good security
-
having a plan to deal with any data breaches (an incident response plan)
-
securing the physical premises (eg with locked doors, alarms, CCTV, and secure storage for paper files)
Technical measures
Technical measures are the technology-based controls an organisation uses. This covers cybersecurity and IT systems, and includes:
-
using strong passwords, multi-factor authentication, and managing user accounts
-
installing firewalls, anti-virus, and anti-malware software on all systems
-
using encryption to scramble data, especially on portable devices like laptops or when it's sent over the internet
-
regularly backing up data and having a plan to restore it
-
securely deleting data and disposing of old IT equipment
-
keeping software and systems up to date with the latest security patches
For more information, read Information security and cyber security.
How to comply with data protection principles
If your organisation processes personal data, you must comply with the principles. This means having the right safeguards in place, like clear internal policies.
This is especially important if you handle ’special category’ sensitive personal data and criminal offence data, which often requires an Appropriate policy document (APD). APDs cover your organisation’s procedures for ensuring compliance with data protection principles, which involves listing the different data protection principles and setting out how each of them is complied with. For more information, read APDs for data protection.
What happens if I don't follow the principles?
Failing to comply with the data protection principles can have serious consequences. The Information Commissioner’s Office (ICO) can issue substantial fines for infringements, up to £17.5 million or 4% of your global annual turnover, whichever is higher. Aside from fines, a data breach or investigation can cause significant reputational damage, leading to a loss of trust from your customers, partners, and employees. Individuals who have suffered damage (eg financial loss or distress) as a result of your non-compliance can also take you to court to claim compensation.
Following the data protection principles is essential for legal compliance and building customer trust. If you need to create or update your policies or other data protection documents, you can use our GDPR documents.
Use our GDPR compliance service if you require comprehensive guidance on making your business compliant. If you have any questions about your specific data protection obligations, do not hesitate to Ask a lawyer.
