GDPR Principles
Six rules that govern everything you do with data.
Overview
Article 5 of GDPR sets out six data protection principles that apply to every processing activity. These are not aspirational guidelines β they are legal obligations, and non-compliance can result in regulatory action. Answer the five questions below. For each principle, go beyond the name: explain what it requires in practice and what it looks like when it fails.
Read before you answer
Article 5 of GDPR sets out six data protection principles that govern every processing activity involving personal data. These are not aspirational guidelines β they are legal obligations, and the organisation responsible for processing (the controller) must be able to demonstrate compliance with all of them at any time. Article 5(2) adds an overarching accountability principle that makes this a proactive obligation: compliance must be actively evidenced, not merely claimed.
The six principles are: Lawfulness, fairness, and transparency β processing must have a valid legal basis, must not be deceptive or harmful, and data subjects must be informed about how their data is used. Purpose limitation β data collected for a specified purpose must not be further processed in ways incompatible with that purpose. Data minimisation β only data that is adequate, relevant, and limited to what is necessary for the purpose should be collected; collecting data "just in case" violates this principle. Accuracy β data must be kept accurate and up to date, with inaccurate data erased or corrected promptly. Storage limitation β data must not be kept longer than is necessary for the purpose; retention periods should be defined, documented, and enforced. Integrity and confidentiality (security) β appropriate technical and organisational measures must protect data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
The practical implication of these principles is that every new processing activity should be designed with them in mind from the outset. Purpose limitation means that when a new use of existing data is proposed β using a customer email list for a new marketing campaign, for example β the new purpose must be assessed for compatibility with the original purpose. Storage limitation means that data must not simply accumulate indefinitely: there must be defined retention periods and a mechanism that enforces them. The accountability principle means that all of this must be documented β in privacy notices, data protection impact assessments, Records of Processing Activities, and training logs β so that the organisation can demonstrate compliance rather than simply assert it.