We abide by the Guide to the UK General Data Protection Regulation (UK GDPR) 

Subscribe to our Newsletter

  • We collect your email address and store it in order to send you a newsletter.P
  • We collect you details in order to post your purchase(s).


  • Your reviews will be displayed.

What are GDPR's key principles?

At the core of GDPR are seven key principles – they're laid out in Article 5 of the legislation – which have been designed to guide how people's data can be handled. They don't act as hard rules, but instead as an overarching framework that is designed to layout the broad purposes of GDPR. The principles are largely the same as those that existed under previous data protection laws.


GDPR's seven principles are: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. In reality, only one of these principles – accountability – is new to data protection rules. In the UK all the other principles are similar to those that existed under the 1998 Data Protection Act.



For processing of personal data to be lawful, you need to identify specific grounds for the processing. This is called a ‘lawful basis’ for processing, and there are six options which depend on your purpose and your relationship with the individual. There are also specific additional conditions for processing some especially sensitive types of data. For more information, see the lawful basis section of this guide.

If no lawful basis applies then your processing will be unlawful and in breach of this principle.

Lawfulness also means that you don’t do anything with the personal data which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it will obviously be unlawful. However, processing may also be unlawful if it results in:

  • a breach of a duty of confidence;
  • your organisation exceeding its legal powers or exercising those powers improperly;
  • an infringement of copyright;
  • a breach of an enforceable contractual agreement;
  • a breach of industry-specific legislation or regulations; or
  • a breach of the Human Rights Act 1998.

These are just examples, and this list is not exhaustive. You may need to take your own legal advice on other relevant legal requirements.

Although processing personal data in breach of copyright or industry regulations (for example) will involve unlawful processing in breach of this principle, this does not mean that the ICO can pursue allegations which are primarily about breaches of copyright, financial regulations or other laws outside our remit and expertise as data protection regulator. In this situation there are likely to be other legal or regulatory routes of redress where the issues can be considered in a more appropriate forum.

If you have processed personal data unlawfully, the UK GDPR gives individuals the right to erase that data or restrict your processing of it.



Processing of personal data must always be fair as well as lawful. If any aspect of your processing is unfair you will be in breach of this principle – even if you can show that you have a lawful basis for the processing.

In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.

Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.

In order to assess whether or not you are processing personal data fairly, you must consider more generally how it affects the interests of the people concerned – as a group and individually. If you have obtained and used the information fairly in relation to most of the people it relates to but unfairly in relation to one individual, there will still be a breach of this principle.

Personal data may sometimes be used in a way that negatively affects an individual without this necessarily being unfair. What matters is whether or not such detriment is justified.


Where personal data is collected to assess tax liability or to impose a fine for breaking the speed limit, the information is being used in a way that may cause detriment to the individuals concerned, but the proper use of personal data for these purposes will not be unfair.

You should also ensure that you treat individuals fairly when they seek to exercise their rights over their data. This ties in with your obligation to facilitate the exercise of individuals’ rights. Read our guidance on rights for more information.



Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the start about who you are, and how and why you use their personal data.

Transparency is always important, but especially in situations where individuals have a choice about whether they wish to enter into a relationship with you. If individuals know at the outset what you will use their information for, they will be able to make an informed decision about whether to enter into a relationship, or perhaps to try to renegotiate the terms of that relationship.

Transparency is important even when you have no direct relationship with the individual and collect their personal data from another source. In some cases, it can be even more important - as individuals may have no idea that you are collecting and using their personal data, and this affects their ability to assert their rights over their data. This is sometimes known as ‘invisible processing’.

You must ensure that you tell individuals about your processing in a way that is easily accessible and easy to understand. You must use clear and plain language.


Data minimisation


The data minimisation principle isn't new, but it continues to be important in an age when we are creating more information than ever. Organisations shouldn't collect more personal information than they need from their users. "You should identify the minimum amount of personal data you need to fulfil your purpose," the ICO says. "You should hold that much information, but no more."

The principle is designed to ensure organisations don't overreach with the type of data they collect about people. For instance, it's very unlikely that an online retailer would need to collect people's political opinions when they sign-up to the retailer's email mailing list to be notified when sales are taking place.


Integrity and confidentiality (security)


Under 1998's data protection laws, security was the seventh principle outlined. Over 20 years of being implemented a series of best practices for protecting information emerged, now many of these have been written into the text of GDPR.


Personal data must be protected against "unauthorised or unlawful processing," as well as accidental loss, destruction or damage. In plain English this means that appropriate information security protections must be put in place to make sure information isn't accessed by hackers or accidentally leaked as part of a data breach.


GDPR doesn't say what good security practices look like, as it's different for every organisation. A bank will have to protect information in a more robust way than your local dentist may need to. However, broadly, proper access controls to information should be put in place, websites should be encrypted, and pseudonymisation is encouraged.


Our cybersecurity measures are appropriate to the size and use of our network and information systems.




Accountability is the only new principle under GDPR – it was added to ensure companies can prove they are working to comply with the other principles that form the regulation. At it simplest, accountability can mean documenting how personal data is handled and the steps taken to ensure only people who need to access some information are able to. Accountability can also include training staff in data protection measures and regularly evaluating and data handling processes.


The "destruction, loss, alteration, unauthorised disclosure of, or access to" people's data has to be reported to a country's data protection regulator where it could have a detrimental impact on those who it is about. This can include, but isn't limited to, financial loss, confidentiality breaches, damage to reputation and more. In the UK, the ICO has to be informed of a data breach 72 hours after an organisation finds out about it. An organisation also needs to tell the people the breach impacts.


The accountability principle can also be crucial if an organisation is being investigated for potentially breaching one of GDPR's principles. Having an accurate record of all systems in place, how information is processed and the steps taken to mitigate errors will help an organisation to prove to regulators that it takes its GDPR obligations seriously.