The seven principles of data protection

Failure to meet the principles to the letter and spirit of the law could leave you exposed to large fines and, unfortunately, infringements of these basic principles are subject to the highest tier of administrative fines. Breaches and failures can translate into a fine of up to £17.5million, or 4% of your annual global turnover, whichever is higher.

Here, then, are outlines of the seven principles.

  1. Lawfulness, fairness, and transparency
    • You must identify valid grounds under the UK GDPR for collecting and using personal data, ensuring that you do not do anything with the data that breaches any other laws. You must use personal data in a way that is fair. This means you must. not process the data in a way that is unduly detrimental, unexpected, or misleading. You must be clear, open, and honest from the start about how you will use personal data. It’s not just how you use data, but whether you should.
  2. Purpose limitation
    • This requirement aims to make sure that you are clear and open about your reasons for obtaining personal data, and that what you do with the data is in line with the reasonable expectations of the individuals concerned. You must be clear from the start about what your purposes are for processing the data. You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals. You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law. Specifying your purposes from the outset also helps you to be accountable for your processing.
  3. Data minimisation
    • You must ensure the personal data you process is enough to properly fulfil your purpose, has a rational link to that purpose and is limited to what is necessary, ie, that you do not hold more than you need for that purpose. So, you must first be clear why you need to hold personal data, and that the amount of data may differ from one individual to another – bearing in mind that an individual has the right to be forgotten, that is, have all their data erased from your system.
  4. Accuracy
    • You should take all reasonable steps to make sure personal information you hold is correct and not misleading in any way. This means that you must be open to any challenge about data accuracy and immediately correct any errors or erase the data entirely, as well as to the fact that this data may need to be updated, depending on what you use it for. The more important it is that personal data is accurate, eg, in medical or legal cases, the greater the effort you should put into ensuring its accuracy.
  5. Storage limitation
    • You should not keep personal data for longer than you need it and should be able to justify why you hold information that you do. This helps reduce risk to the information itself, as well as keeps storage costs under control. A flexible retention policy will be immensely helpful for this area of data protection so that you comply with documentation requirements, as well as periodically review what you hold for accuracy and relevance, deleting, securely destroying, or anonymising any data you no longer need. Public interest archiving, scientific or historical research, and statistics can all be valid reasons for keeping data for longer.
  6. Accountability
    • This principle requires you to take responsibility for data protection, and to comply with the other principles.

For detailed and nuanced information about the data protection principles, go to the Information Commissioner’s Office website where you will find a raft of supporting documentation, such as ‘A guide to data security’ and ‘A guide to the data protection principles’.

0800 376 4422