Toolkit for the EU GDPR: 4) Six Principles of GDPR


published on February 14, 2018



This note is part of our series of “Toolkits” on specific key elements of the upcoming EU GDPR (General Data Protection Regulation). If you are an enterprise based in the EU or you hold or process any personal data of any EU citizen you will need to ensure that you are compliant with the GDPR on and following its implementation date of 25 May 2018.

Precisely how the GDPR will be implemented in the UK is currently unclear as the UK legislation is not yet finalised. We nonetheless recommend that a detailed review of data protection policies and procedures are completed ahead of its implementation (and any changes required are implemented ahead of that date too).

The GDPR does not seek to drastically alter the existing UK regime (under Data Protection Act 1998) but it does add important additional proactive requirements for compliance and enhanced data subject rights and protections (as well as creating a more uniform EU-wide regime).


This document is not a comprehensive explanation of the GDPR or the obligations under it and is not intended to provide advice. If you require any advice please contact us on the contact details provided further below.    


What is the GDPR?

The GDPR will replace the existing EU Data Protection Directive 1995 (95/46/EC). It seeks to update the data protection legislation in line with modern changes in technology and the way in which personal information is commonly used, processed and shared.



This note is an overview of the six principles of the GDPR. These principles are the foundations for processing personal data and you should ensure that any personal data you process (including personal data which you store) is compliant with these principles.
This toolkit does not deal with special category data or criminal data.



The Six principles

Article 5 of the GDPR sets out the six principles of data protection. These principles are the foundation of the GDPR and require that personal data is:

  1. processed lawfully, fairly and in a transparent manner;
  2. used for the purpose for which it was collected (and that purpose is expressly specified and legitimate);
  3. relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date;
  5. stored for no longer than is necessary for the purpose for which the personal data is processed; and
  6. processed in a manner than protects the security and confidentiality of the personal data.

The controller of the personal data is responsible for complying with the above six principles. Further, the controller of the personal data will be required to be able to demonstrate compliance with these principles, it is therefore important that appropriate policies are in place to facilitate compliance with these principles and that compliance is documented.

What do these principles mean?


Lawful, Fair and Transparent

Before processing any personal data the lawful basis for which the personal data is being processed should be established and this lawful basis should be documented.

Having a lawful basis for processing personal data is not a new concept however the GDPR has a particular focus on accountability and transparency. Further the GDPR emphasises “privacy by design” which encourages data protection to be at the forefront of decisions and policies rather than an afterthought.

The lawful grounds for processing personal data are as follows:
  • Consent. Where there is clear and positive consent of the data subject to process their personal data;
  • Contract. Processing personal data is necessary to fulfil contract with the data subject;
  • Legal Obligation. Processing personal data is necessary to comply with legal obligations/with the law;
  • Vital Interest. Processing personal data is necessary to protect someone’s life;
  • Public Task. Processing personal data is necessary to perform a task which is in the public interest or for official purpose which has a clear basis in law;
  • Legitimate Interest. This lawful basis does not apply if there is a good reason to protect the individuals data which overrides the legitimate interests for processing it. 

It is also important that the reasons, grounds and purpose for processing personal data are transparent and clear to the data subject. This requires that the data subject is not mislead, for example, if personal data is processed on the basis that there is a contract with the data subject; asking for the data subjects consent could mislead them about their position and the lawful grounds for processing. This may also be seen to be contray to the requirement of transparency.  
You will also need to consider Individual Rights which are explored within our other GDPR toolkits.


It is important that the most appropriate lawful basis for processing any personal data is determined. In particular, each lawful basis for processing personal data provides the data subject with different individual rights, for example there is no right for the data subject to object to their personal data being processed if it is processed to fulfil a contract with the data subject.

Data can only be used for the purpose which the data subject has been made aware of and no other reason. If the purpose for processing the data has changed however it is still compatible with the purpose for which the data was originally processed, the GDPR may allow you to continue to process the data. However, this rule does not apply if the lawful ground for processing the data is “consent”, in which case the consent of the data subject will need to be obtained for the new purpose.

Data Minimisation

In order to have a lawful basis for processing personal data, it must be necessary  (or proprotionate for the purposes to which the data is being collected) to process the data. If the same outcome can be reasonably achieved without processing personal data than it is unlikely there will be a lawful basis to do so.


The GDPR requires the data controller to ensure that any personal data held is accurate and kept up to date. Procedures should be put in place check accuracy of any personal data and allow for it to be easily updated, if required.

Storage Limitations

Personal data should not be held in an itenfiable form for longer than is necessary. To determine how long any personal data should be held the purpose for which the personal data has been processed and any statutory requirements should be considered. It is recommended that clear policy is put in place which deals with and justifies the storage timeframes used. 

Once any personal data is no longer required, it should be securely deleted. If personal data needs to be held for longer, i.e. for statistical purposes than it should be considered whether anonymising the personal data (so that it is no longer possible to in any way identify the individual), is appropriate. 

Security and Confidentiality

Any personal data which is processed should be securely stored and remain confidential. This requires adeqate measures to be taken to protect against unlawful processing, accidental loss, destruction or damage. These measures should be reviewed on an on-going basis to ensure compliance with modern practices and any reviews or policies should be documented.

The GDPR rules allow for a fine of £17 million or 4% of global turnover for failure to comply with the GDPR. It remains to be seen how fines will be calculated in practice however it is most likely that the larger fines will be for security breaches.

Accountability and documentation

The GDPR creates an accountability obligation where the data controller must be able to demonstrate their compliance with the GDPR (and the six principles) through evidence. This requires more than having policies in place. It is recommended that employees receive training on data protection matters (including internal policies), that policies are tested to ensure they are effective (and any test results are used to demonstrate continuous improvement) and that the technology and processes used are reviewed to ensure it is sufficient to ensure compliance with the GDPR. Any documentation which evidences compliance with the GDPR should be kept.

 EU-GDPR Toolkit for UK


Contact Person Picture

Emma Vickers

+44 121 2278 963

Send inquiry

Contact Person Picture

Jan Eberhardt


+44 121 2278 963

Send inquiry

Deutschland Weltweit Search Menu