Show Menu

GDPR: Six Data Protection Principles Cheat Sheet (DRAFT) by [deleted]

GDPR: Six Data Protection Principles

This is a draft cheat sheet. It is a work in progress and is not finished yet.


The EU General Data Protection Regulation (GDPR) outlines six data protection principles that organi­sations need to follow when collec­ting, processing and storing indivi­duals’ personal data. The data controller is respon­sible for complying with the principles and must be able to demons­trate the organi­sat­ion’s compliance practices.

We’ve listed the six principles here with advice on how you can follow them.

1. Lawful­ness, fairness and transp­arency

Organi­sations need to make sure their data collection practices don’t break the law and that they aren’t hiding anything from data subjects.

To remain lawful, you need to have a thorough unders­tanding of the GDPR and its rules for data collec­tion. To remain transp­arent with data subjects, you should state in your privacy policy the type of data you collect and the reason you’re collecting it.

2. Purpose limitation

Organi­sations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.

Processing that’s done for archiving purposes in the public interest or for scient­ific, historical or statis­tical purposes is given more freedom.

3. Data Minimi­sation

Organi­sations must only process the personal data that they need to achieve its processing purposes. Doing so has two major benefits. First, in the event of a data breach, the unauth­orised individual will only have access to a limited amount of data. Second, data minimi­sation makes it easier to keep data accurate and up to date.

4. Accuracy

The accuracy of personal data is integral to data protec­tion. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomp­lete.

Indivi­duals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.


5. Storage limitation

Organi­sations need to delete personal data when it’s no longer necessary.

How do you know when inform­ation is no longer necessary? According to marketing company Epsilon Abacus, organi­sations might argue that they “should be allowed to store the data for as long as the individual can be considered a customer. So the question really is: For how long after completing a purchase can the individual be considered a customer?”

The answer will vary between industries and the reasons that data is collected. Any organi­sation that is uncertain how long it should keep personal data should consult a legal profes­sional.

6. Integrity and confid­ent­iality

This is the only principle that deals explicitly with security. The GDPR states that personal data must be “processed in a manner that ensures approp­riate security of the personal data, including protection against unauth­orised or unlawful processing and against accidental loss, destru­ction or damage, using approp­riate technical or organi­sat­ional measures”.

The GDPR is delibe­rately vague about what measures organi­sations should take, because techno­logical and organi­sat­ional best practices are constantly changing. Currently, organi­sations should encrypt and/or pseudo­nymise personal data wherever possible, but they should also consider whatever other options are suitable