The Six Privacy Principles of GDPR

27 April 2017


The General Data Protection Regulation (GDPR) comes into effect in May 2018 and replaces all EU directive (95/46/EC). The new regulation strengthens local European legislation for Data Protection and aligns regulators under one authority. 

The six privacy principles form the fundamental conditions which organisations must follow when collecting, processing and managing the personal information data for all European citizens. Organisations which breach any of these areas risk fines of up to €20m or 4% of global turnover and bans from processing such data.

We can split GDPR into six privacy principles:

1. Lawfulness, fairness and transparency

Transparency: Tell the subject what data processing will be done. 
Fair: What is processed must match up with how it has been described
Lawful: Processing must meet the tests described in GDPR [article 5, clause 1(a)]

2. Purpose limitations

Personal data can only be obtained for “specified, explicit and legitimate purposes”[article 5, clause 1(b)]. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.

3. Data minimisation 

Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.[article 5, clause 1(c)]
i.e. No more than the minimum amount of data should be kept for specific processing.

4. Accuracy

Data must be “accurate and where necessary kept up to date” [article 5, clause 1(d)]
Baselining ensures good protection and protection against identity theft. Data holders should build rectification processes into data management / archiving activities for subject data.

5. Storage limitations

Regulator expects personal data is “kept in a form which permits identification of data subjects for no longer than necessary”. [article 5, clause 1(e)]
i.e. Data no longer required should be removed.

6. Integrity and confidentiality

Requires processors to handle data “in a manner [ensuring] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”. [article 5, clause 1(f)]​ 

These 6 principles give a top level overview of the areas covered by the new regulation, however they do not delve into nuances of consent and other articles of GDPR, nor the complexities of data flow mapping, lineage and coordination activities associated with implementing a programme to meet GDPR compliance.

At MThree Consulting, we are able to offer a fully consultative service to support your organisation through the entire transition of aligning your data processes with the new regulation. This process begins with creating awareness, assessing current policies and risk through to implementing necessary business and technology changes and ongoing evaluations.

If you wish to know more, please enter your details below and one of our GDPR subject matter experts will be in touch.

By submitting your details you agree our Terms and Conditions and to be contacted directly via email and phone. Click here to view our full Terms and Conditions.

Or contact us directly

Stuart Farrell

Associate Director - Cyber and Information Security

T: +44 (0) 2017 870 4034
M: +44 (0) 7500 783 945