Latest updates
19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.
At a glance
- The UK GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
- These principles should lie at the heart of your approach to processing personal data.
In brief
- What are the principles?
- Why are the principles important?
What are the principles?
Article 5 of the UKGDPR sets out seven key principles which lie at the heart of the general data protection regime.
Article 5(1) requires that personal data shall be:
“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
See AlsoPrivacy Policy Template - TermsFeedVinden Lawyers – Your Legal Compass, Our ExpertiseCan I write my own privacy policy?Research: A Strong Privacy Policy Can Save Your Company Millions(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Article 5(2) adds that:
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
For more detail on each principle, please read the relevant page of this guide.
Why are the principles important?
The principles lie at the heart of the UKGDPR. They are set out right at the start of the legislation, and inform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime - and as such there are very limited exceptions.
Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection practice. It is also key to your compliance with the detailed provisions of the UKGDPR.
Failure to comply with the principles may leave you open to substantial fines. Article 83(5)(a) states that infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines. This could mean a fine of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.
In more detail – ICO guidance
Read our individual rightsandinternational transfers guidance.
As an expert in data protection and privacy laws, I have a comprehensive understanding of the UK General Data Protection Regulation (UK GDPR) and its fundamental principles. My expertise is rooted in both theoretical knowledge and practical application, having navigated the intricacies of data protection legislation and its implications.
The latest updates, as of 19 May 2023, have segmented the Guide to the UK GDPR into smaller, more digestible guides while maintaining the integrity of the content. At the core of this regulation lie seven key principles, outlined in Article 5 of the UKGDPR. Let's delve into each of these principles to provide a comprehensive overview:
-
Lawfulness, Fairness, and Transparency (Article 5(1)(a)): Personal data must be processed in a lawful, fair, and transparent manner. This includes ensuring that individuals are informed about the processing activities and that these activities adhere to legal requirements.
-
Purpose Limitation (Article 5(1)(b)): Data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Exceptions include processing for public interest, scientific research, historical research, or statistical purposes.
-
Data Minimisation (Article 5(1)(c)): The collection of personal data should be adequate, relevant, and limited to what is necessary for the intended purposes of processing.
-
Accuracy (Article 5(1)(d)): Personal data must be accurate and, where necessary, kept up to date. Steps should be taken to rectify or erase inaccurate data promptly.
-
Storage Limitation (Article 5(1)(e)): Personal data should be kept in a form that permits identification for no longer than necessary. Exceptions are made for archiving purposes in the public interest, scientific research, historical research, or statistical purposes, subject to appropriate safeguards.
-
Integrity and Confidentiality (Article 5(1)(f)): Data must be processed in a manner that ensures appropriate security, protecting against unauthorized or unlawful processing, as well as accidental loss, destruction, or damage. Technical and organizational measures must be implemented for this purpose.
-
Accountability (Article 5(2)): Controllers are responsible for and must be able to demonstrate compliance with the principles outlined in Article 5(1). This emphasizes the accountability of those processing personal data.
The significance of these principles cannot be overstated. They form the bedrock of the UKGDPR, shaping the entire data protection regime. While they do not prescribe rigid rules, they embody the spirit of the legislation, leaving little room for exceptions. Adherence to these principles is not only a fundamental aspect of good data protection practice but is also imperative for compliance with the detailed provisions of the UKGDPR.
Failure to comply with these principles may result in severe consequences, including substantial fines. Article 83(5)(a) stipulates that infringements of the basic principles for processing personal data can lead to the highest tier of administrative fines, potentially reaching up to £17.5 million or 4% of the total worldwide annual turnover, whichever is higher.
For more in-depth information on each principle, further details can be explored in the relevant sections of the guide. Additionally, the Information Commissioner's Office (ICO) provides guidance on individual rights and international transfers to supplement understanding and ensure compliance.
