Sirelark Divider Graphic
Divider graphic

SME Business Guidance Series: The Principles of GDPR

Since the GDPR came into effect in May 2018, businesses and organisations have had to follow seven data protection principles when processing sensitive and personal data. Noncompliance with these principles can carry hefty fines of up to £20 million or 4 per cent of annual global turnover (whichever costs more) from the Information Commissioner’s Office (ICO), as well as possible compensation claims by individuals. Use the following ICO guidance to ensure organisational compliance with the principles of the GDPR.

Principle 1: Lawfulness, fairness and transparency

  • You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
  • You must ensure that you do not do anything with the data in breach of any other laws.
  • You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
  • You must be clear, open and honest with people from the start about how you will use their personal data.

For further information and guidance on this principle, click here.

Principle 2: Purpose limitation

  • You must be clear about what your purposes for processing are from the start.
  • You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
  • You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law.

For further information and guidance on this principle, click here.

Principle 3: Data minimisation

  • You must ensure the personal data you are processing is:
    • adequate – sufficient to properly fulfil your stated purpose;
    • relevant – has a rational link to that purpose; and
    • limited to what is necessary – you do not hold more than you need for that purpose.

For further information and guidance on this principle, click here.

Principle 4: Data accuracy

  • You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.
  • You may need to keep the personal data updated, although this will depend on what you are using it for.
  • If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
  • You must carefully consider any challenges to the accuracy of personal data.

For further information and guidance on this principle, click here.

Principle 5: Storage limitation

  • You must not keep personal data for longer than you need it.
  • You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
  • You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
  • You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
  • You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
  • You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.

For further information and guidance on this principle, click here.

Principle 6: Integrity and confidentiality (security)

  • You must ensure that you have appropriate security measures in place to protect the personal data you hold.
    • Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.
    • You also have to take into account additional requirements about the security of your processing – and these also apply to data processors.
    • You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses.
    • Where appropriate, you should look to use measures such as pseudonymisation and encryption.
    • Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them.
    • The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
    • You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements.

For further information and guidance on this principle, click here.

Principle 7: Accountability

  • The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.
  • You need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
  • There are a number of measures that you can, and in some cases must, take including:
    • adopting and implementing data protection policies;
    • taking a ‘data protection by design and default’ approach;
    • putting written contracts in place with organisations that process personal data on your behalf;
    • maintaining documentation of your processing activities;
    • implementing appropriate security measures;
    • recording and, where necessary, reporting personal data breaches;
    • carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests;
    • appointing a data protection officer; and
    • adhering to relevant codes of conduct and signing up to certification schemes.
  • Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.
  • If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation.
  • Being accountable can help you to build trust with individuals and may help you mitigate enforcement action.

For further information and guidance on this principle, click here.

For more useful articles and resources, please join our mailing list:

The content of this guide is of general interest only and not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. It does not address all potential compliance issues with UK, EU or any other regulations. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. It should not be used, adopted or modified without competent legal advice or legal opinion. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. Design © 2013, 2019 Zywave, Inc. All rights reserved.

Contains public sector information published by the ICO and licensed under the Open Government Licence v3.0. For more information on the GDPR’s principles, please see

Latest blog posts