What are the 7 principles of GDPR?

In this article Suze from Garden City Assurance looks to provide the answer to the question, ‘What are the 7 principles of GDPR?’

The Foundations of GDPR Compliance – The 7 Principles of GDPR

Lawful, fair, and transparent

Be open and honest about how you’re using personal data. Don’t be unethical, and make sure you have a lawful reason to do what you’re doing. Don’t ever be shady in your processing – you will lose the confidence of you customers and staff.

Purpose Limitation

If you collect data for one reason, don’t assume you can use it for other reasons without checking compatibility with the first purpose. If a customer satisfaction survey is completed, for example, it doesn’t automatically mean that information can be added to marketing lists.


ONLY collect the data you need. Don’t collect extra data ‘because you want it’, or ‘just in case’. This is a biggie and is often seen. Would the people in the CRM be surprised at the level of information you hold on them? Do you genuinely need to process it to achieve the purpose? Before you collect the info, stop and think. If you don’t need it, don’t collect it.


Make sure the data you’re processing is up to date and accurate. Hopefully, this is self-explanatory. If in doubt, check.

Storage Limitation – aka retention

Don’t keep data longer than you need it. If your marketing or fundraising lists are over 10 years old, and there’s been no interaction between your organisation and the person on the list for many years, you probably need to have a clean-up. Don’t keep things ‘just in case’. Make sure you have a retention policy and schedule that covers everything from email to paper records. Put processes in place to make sure data is deleted when needed.


Make sure you have appropriate security measures in place for the volume and types of data you process. The legislation cannot give you prescriptive guidance for the measures your specific organisation needs to put in place – that would be impossible. You need to assess what is appropriate to you and the people whose data you need to protect. E.g. The measures a hairdresser needs to have in place would be totally different from an organisation providing medical care.


The principle many people forget about.

Take responsibility for the processing you do and be able to evidence it. Make sure you document the decisions you make relating to data protection and risk. Have your ROPA in place. Put Privacy by Design at the heart of every new project. Get your DPIAs and LIAs documented. Do all of this and more.

Ensure you have the right reporting structures in place, along with escalation routes for things that need to be addressed.

Accountability is a huge topic, and much advice is freely available on the ICO website. If you need specific advice, get in touch.

Garden City Assurance are on THE LIST where you can find their full range of GDPR services. You can visit their website for more information.