Strike Graph security compliance blog

What are the 7 GDPR principles?

Written by Michelle Strickler | Jun 24, 2022 7:00:00 AM

As we discussed in our previous post, Chapter 2, Article 5 of the General Data Protection Regulation (GDPR) lays out GDPR’s seven protection and accountability principles.

Rather than act as hard rules, these principles serve as an overarching framework designed to lay out the broad purposes of GDPR. In this post, we’ll take a look at all seven principles of GDPR and what they mean for you and your business.

Let’s start by looking at each of these terms:

  • Lawfulness refers to the fact that whenever a company is processing personal data, it should have a good reason for doing so. For example, a company is processing data because it must fulfill a legal obligation, it must make good on a contract, the user has given the company consent, etc.
  • Fairness refers to the fact that a company shouldn’t purposely withhold information about what or why it's collecting data, or mishandle or misuse the data it collects.
  • Transparency means a company must be clear, open, and honest with data subjects about who it is and why and how it's processing personal data.

2. Purpose limitation

This principle ensures data is only used for specific activities, and that it is “collected for specified, explicit, and legitimate purposes”. These purposes must be clearly established and openly communicated via a privacy notice. Make sure your organization follows them closely and limits the processing of data only to the purposes you’ve stated.

Like purpose limitation, data minimization ensures organizations only collect the smallest amount of data they’ll need to fulfill their purposes. For example, if your company wants to collect user information in order for website visitors to download an asset, you can only ask for the information you need in order to send them that asset. While email addresses are directly related to that purpose, first and last names are less so — but still applicable — and home addresses and phone numbers aren’t at all.

4. Accuracy

Your organization must ensure that the data you collect and store is accurate. In order to do this, set up checks and balances to correct, update, or erase incorrect or incomplete data and conduct regular audits to ensure everything remains accurate.

5. Storage limitation

The storage limitation principle requires your organization to justify the length of time it keeps each piece of data it stores. To comply, establish data retention periods and create a standard time period after which your organization anonymizes any data it isn’t actively using.

6. Integrity and confidentiality

Maintaining the integrity and confidentiality of the data your organization collects refers to keeping it secure from both internal and external threats — including accidental loss, destruction, or damage and unauthorized or unlawful processing. This can be achieved via planning and proactive diligence.

Accountability requires that your organization have the appropriate measures and records in place as proof of its compliance. Ensure you have such measures documented, as supervisory authorities can ask for this evidence at any time.

Use these seven principles of GDPR to inform all of your business practices and processing activities. This will ensure you get — and remain — GDPR compliant.