GDPR Principles

Echoing my last blog post, I'd like to talk about principles of the GDPR (General Data Protection Regulation), and why we should adhere to them. Introduced in 2018, the GDPR is European legislation that is enforced in the European Union and European Economic Area, and concerns data privacy for private citizens. It is designed to increase individuals' control and rights over their personal data, in a much more progressive way than we currently have here. California has already adopted similar legislation and it's likely only a matter of time before the rest of the US does as well. There are seven principles involved in adhering to the letter of the GDPR.

The first and perhaps the most important principle is divided into three parts, and consists of lawfulness, fairness, and transparency. The first part means that data collection and processing must be done with a valid legal basis. There are a few ways this can be obtained, the first and most straightforward of which is getting the consent of the data subject. It could also be the case that processing is necessary for compliance with a legal obligation or in the performance of a task in the public interest, among several other scenarios. Fairness refers to the idea that the data processing should be done in the best interest of the person and should be reasonable in scope. Finally, data must be collected and processed in a transparent way. The what, how, and why of your data use should be communicated and you should have privacy policies your users can review.

The second principle is that of purpose limitation. In other words, data should not be reused for other purposes than why it was originally collected. IP addresses collected to document consent cannot be used to send out your personal newsletter. The third principle relates to data minimization, that data should only be gathered in the exact amount needed to perform the necessary processing. It might be tempting to collect more information than is strictly needed, especially in a sales or marketing context, but it's important rule to follow.

The fourth principle of the GDPR is making sure your data is accurate. The data controller must take reasonable measures to ensure data is correct and up to date. This might simply be giving your users the option to update their data when necessary. The fifth data principle relates to the third in terms of data collection and storage - there must be limitations on the amount and length of time data is stored, and it must be deleted in a secure way when it is no longer needed for it's original intended purpose. This is part of data minimization in itself.

The sixth principles also has two parts, integrity and confidentiality. Data integrity is similar to maintaining accuracy of the data, but is more about how the internal security of the data will prevent it from being manipulated in unintended ways. Confidentiality means only the people processing the data should have access to it, and there should be protocols in place for how data is requested, authorized to be accessed, and transmitted. The seventh and last principle we will talk about is accountability. Basically this means being responsible for the data you process and adhering to the other six principles outlined above. One way to do this is to document that you are fulfilling the principles of GDPR and taking responsibility that they are followed, and providing training to employees around data security. If you make these seven principles a priority in your data collection and processing, you are well on your way to adhering to GDPR standards and making your data processes future-proof.

Author:
Adam Sultanov
Powered by The Information Lab
1st Floor, 25 Watling Street, London, EC4M 9BR
Subscribe
to our Newsletter
Get the lastest news about The Data School and application tips
Subscribe now
© 2025 The Information Lab