Blog
Understanding the 7 principles of the GDPR
The GDPR is built upon a set of core principles which must be observed when working towards GDPR compliance. Learn more about these principles and how to approach them in your operations
Robb Taylor-Hiscock
Privacy Content Lead, CIPP/E, CIPM
May 17, 2021
The General Data Protection Regulation (GDPR) rewrote the rules on privacy, forcing companies to update their operations and even reimagine their product designs, services, and branding.
So although the GDPR passed in 2016, its core tenets are as relevant today as when legislators first issued them. The key principles at the heart of the law should inform every step of a modern privacy program.
Refamiliarize yourself with their intentions and ensure your personal data processing practices support them.
1. Lawfulness, fairness, and transparency
Whenever you’re processing personal data, you should have a good reason for doing so. GDPR terms this principle lawfulness. Reasons for processing data can include:
- The user has given you consent to do so.
- You must do it to make good on a contract.
- It’s necessary to fulfill a legal obligation.
- For protection of vital interests of a natural person.
- It’s a public task done in public interest.
- You can prove you have legitimate interest, and it’s not overridden by data subject’s rights and interests.
The concept of fairness laid out in the GDPR goes hand-in-hand with lawfulness. It means you shouldn’t purposely withhold information about what or why you’re collecting data. In other words, users wouldn’t be surprised if they knew how you were using their data. Fairness means you won’t mishandle or misuse the data you collect.
Transparency is inherently linked to fairness: Being clear, open, and honest with data subjects about who you are, and why and how you’re processing their personal data is the definition of transparency. By following it, you act fairly towards your data subjects.
2. Purpose limitation
The GDPR’s second principle sets boundaries around using data only for specific activities. This purpose limitation means data is “collected for specified, explicit, and legitimate purposes” only, as stated in the GDPR.
Your purposes for processing data must be clearly established. And they must also be clearly communicated to individuals through a privacy notice. Finally, you must follow them closely, limiting the processing of data to only the purposes you’ve stated.
If at any point, you want to use the data you’ve collected for a new purpose that’s incompatible with your original purpose, you must ask specifically for consent again to do it — unless you have a clear obligation or function set out in law.
3. Data minimization
Only collect the smallest amount of data you’ll need to complete your purposes. This is the GDPR principle of data minimization. For example, if you want to gather subscribers for your email newsletter, you should only ask for information necessary to send out the newsletters. Avoid gathering personal data such as phone numbers or home addresses, which aren’t directly related to your purpose.
4. Accuracy
It’s up to you to ensure the accuracy of the data you collect and store. Set up checks and balances to correct, update, or erase incorrect or incomplete data that comes in. Also have regular audits on the calendar to double-check the cleanliness of stored data.
5. Storage limitation
According to the GDPR, you have to justify the length of time you’re keeping each piece of data you store. Data retention periods are a good thing to establish to meet this storage limitation policy. Create a standard time period after which you’ll anonymize any data you’re not actively using.
6. Integrity and confidentiality
The GDPR requires you maintain the integrity and confidentiality of the data you collect, essentially keeping it secure from internal or external threats. This takes planning and proactive diligence. You must protect data from unauthorized or unlawful processing and accidental loss, destruction, or damage.
7. Accountability
The GDPR regulators know an organization can say they’re following all the rules without actually doing it. That’s why they require a level of accountability: You must have appropriate measures and records in place as proof of your compliance with the data processing principles. Supervisory authorities can ask for this evidence at any time. Documentation is key here. It creates an audit trail you — and authorities — can follow if you do need to prove responsibility.
Integration of the 7 Principles of the GDPR into your operations
The 7 principles of the GDPR communicate the spirit and thought process behind data processing best practices. In addition, the GDPR sets out data controller and processor responsibilities that support each of the principles.
Instead of being a piece of the operational puzzle, these 7 principles inform all processing activity and business practices — from the design stage across the entire data processing lifecycle. This can be best fulfilled by implementing privacy by design and default.
To learn how this works and find out more about the principles of the GDPR, navigate to our complete guide to GDPR Compliance. It’s a roadmap for complete implementation and integration of the GDPR principles into your privacy program.
You may also like
Webinar
Privacy Management
Revisiting IAPP DPC 2024: Top trends on the latest data protection developments
Join OneTrust and PA Consulting as we dive deeper into the key takeaways from the IAPP Europe Data Protection Congress 2024. Our speakers will provide actionable insights from the event on the latest developments in data protection, privacy, and AI.
December 12, 2024
Webinar
Privacy Automation
PIA and DPIA demo webinar with Data Privacy Group
Join our webinar to learn the benefits of automating your PIAs and DPIAs using the OneTrust platform
November 28, 2024
eBook
Consent & Preferences
Mastering GDPR consent: A marketer's guide to simplifying compliance
Learn how to simplify GDPR consent management, stay compliant, and build trust with your audience. Download this practical guide for marketers.
October 17, 2024
eBook
Privacy Management
Maturing your GDPR compliance program
This comprehensive eBook explores the key elements of a GDPR compliance program.
September 11, 2024
eBook
Privacy Management
Understanding data transfers under the GDPR ebook
In the ebook, we delve into the fallout from Schrems II and explore how organizations based in Europe can best navigate international data transfers under the GDPR.
June 05, 2024
Webinar
Privacy Management
Preparing for a new regulation: Lesson learned from the GDPR businesses can apply to the EU AI act?
Join our panel of experts as we celebrate GDPR Anniversary and take a closer look at the relationship between the GDPR and AI Act.
May 23, 2024
Webinar
Privacy Management
Navigating data privacy in 2024: Global regulatory updates & compliance strategies
Join our webinar for a comprehensive overview of the latest global data privacy regulations and updates impacting businesses in 2024 and how to prepare.
March 20, 2024
Infographic
Privacy Management
OneTrust announces partnership with Europrivacy
Learn how OneTrust and Europrivacy's partnership can help your organization achieve GDPR compliance and build trust with your customers.
December 06, 2023
Webinar
Technology Risk & Compliance
Demonstrating GDPR compliance with Europrivacy criteria: The European Data Protection Seal
Join our webinar to learn more about the European Data Protection Seal and to find out what the key advantages of getting certified.
November 30, 2023
Webinar
Privacy Management
Revisiting the ICO Data Protection Practitioner's Conference: Addressing your top challenges
Join OneTrust and KPMG UK to discuss the challenges of employee SARs, managing your breach response with third parties, and incident management.
October 25, 2023
Infographic
Privacy & Data Governance
Understanding the EU Data Boundary
Download our free infographic and get the information you need to understand the EU Data Boundary and how to properly handle data in the European Union.
September 22, 2023
Webinar
Privacy Management
Privacy in practice: PIA & DPIA with PA Consulting
Join OneTrust and PA Consulting as we discuss what makes an effective PIA, best practices, and the benefits of automation.
September 21, 2023
Webinar
Privacy & Data Governance
Privacy in practice for data mapping: With PA Consulting and Syngenta
Join OneTrust and panelists from PA Consulting and Syngenta as we explore practical ways to build an effective data mapping program, best practices, and the need for automation.
September 14, 2023
Webinar
Governance & Policy Management
EU-US DPF: What next for UK businesses?
Join our expert webinar as we discuss the upcoming UK-US DPF Extension and what UK businesses need to prepare to become DPF-certified.
September 06, 2023
Webinar
Privacy Management
Unpacking the EU-US DPF
In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.
June 28, 2023
Infographic
Privacy & Data Governance
The 3 priorities of the French DPO: Gain visibility, take action, automate
Download our infographic and learn about the 3 priorities of the French DPO.
May 30, 2023
Webinar
Privacy Management
GDPR turns 5: Celebrating data protection
Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance.
May 25, 2023
Webinar
Privacy Management
Global Panel — GDPR & Tech: Key considerations of Privacy by Design and AI in tech
Join our panel of experts as we discuss the impact GDPR had on the tech industry during the past five years, the importance of privacy by design, and what to expect with AI and regulation.
May 25, 2023
Webinar
Privacy Management
5 years of GDPR: Milestones, challenges, and opportunities
Eastern European panel - Watch our webinar as we look back on 5 years of the GDPR, AI, and their impact on Europe, the world, and your organization.
May 24, 2023
Webinar
Privacy & Data Governance
Global Panel — GDPR & Healthcare: current regulatory guidance and enforcement
In this live webinar, our expert panel examines the first five years of the GDPR, how it changed the healthcare industry, and the changing global regulatory landscape.
May 24, 2023
Webinar
Privacy Management
Global Panel — GDPR & Retail: building customer loyalty and trust with consent and privacy
Join us for a live panel as we discuss GDPR's impact on the retail and eCommerce industry and how companies evolved to meet the global regulatory landscape.
May 23, 2023
eBook
Privacy Management
Getting started with GDPR compliance
This eBook covers the fundamental information you need to know in order to get your GDPR compliance program started and how OneTrust helps.
May 23, 2023
Infographic
Privacy Management
Comparing the FADP, Revised FADP, and the GDPR
Download our infographic to see how the Revised FADP compares with its original version and the GDPR.
May 23, 2023
Webinar
Privacy Management
Global Panel — GDPR & Finance: Staying ahead of the regulatory and cyber landscape
How has the GDPR affected the financial industry? Join our live panel as we examine how it companies evolved to meet the regulatory challenges and what can be done to stay ahead of the curve.
May 22, 2023
Webinar
Privacy Automation
OneTrust and Deloitte UK - Data transfers: Assessments & safeguards
OneTrust's Center of Excellence and Deloitte UK will discuss data transfers and GDPR compliance, covering the UK stance, ICO/EDBP guidance, and more.
April 04, 2023 1 min read
eBook
Privacy Management
The 3 Priorities for DPOs in France: Gain Visibility, Take Action, Automate eBook | Resources | OneTrust
French DPOs should take three priorities into account when building their data protection and compliance programs and processes in 2023.
February 21, 2023
Webinar
Privacy & Data Governance
Data Protection in Financial Services Week: Government keynote and international transfers
This session will examine some key issues and recent developments on international data transfers with contributions from key EU, UK, and US regulators.
February 07, 2023
Webinar
Consent & Preferences
Belgian DPA approves TCF action plan: Where we go from here
Belgian DPA approves IAB Europe’s action plan to correct its Transparency & Consent Framework (TCF) violations of the GDPR.
January 12, 2023
Webinar
Privacy & Data Governance
Keeping pace with the changing regulatory landscape: UK And EU updates webinar
Learn more about the privacy updates for the UK and the EU, what to expect in the coming year, and how to manage regulatory change.
August 15, 2022
Webinar
Ethics & Compliance
GDPR and the EU Whistleblower Protection Directive webinar
Join this webinar to learn how to review your whistleblowing processes to comply with the EU Whistleblower Protection Directive, the GDPR and others.
July 06, 2022
Webinar
Privacy & Data Governance
4 years of GDPR
Watch our webinar on the last 4 years of GDPR compliance and trends for the future.
May 05, 2022
Webinar
Privacy Management
Privacy rights poland: Enhance Your DSAR process with automation, discovery & redaction
As part of our Privacy Automation webinar series, we discuss why it's important to automate DSAR fulfillment and the latest regulatory trends.
April 03, 2022
Webinar
Privacy & Data Governance
Know your laws: Comparing CCPA & CPRA vs. GDPR
Watch this free webinar and see how the CCPA and CPRA compare with the GDPR.
January 04, 2022
Checklist
Privacy & Data Governance
Transfer Impact Assessment (TIA) checklist
This Transfer Impact Assessment checklist provides an overview of the key steps you can take as you perform a TIA.
December 01, 2021
Infographic
GDPR's 8 fundamental data subject rights
Download our GDPR's 8 Fundamental Data Subject Rights infographic and learn more about the individual rights guaranteed under the EU's major privacy law.
August 27, 2021
eBook
Privacy & Data Governance
The ultimate guide to GDPR compliance
Download this eBook to get an ultimate guide to understanding the GDPR and implementing steps towards compliance.
August 26, 2021
eBook
Privacy & Data Governance
10 steps to meeting the GDPR Article 30 requirement
Download this eBook and learn how to leverage data mapping for your GDPR Article 30 compliance program.
July 22, 2021
White Paper
Privacy Automation
Mastering PIAs & DPIAs: A complete handbook for privacy experts
Unlock the full potential of your privacy program with our complete handbook designed to equip privacy professionals with the essential tools and knowledge for establishing robust PIA and DPIA processes.
July 22, 2021
Checklist
Privacy & Data Governance
GDPR compliance checklist
Download our GDPR compliance checklist for recommendations on improving your organization's privacy program.