GDPR principles: a guide to Article 5 compliance

If your organization collects personal data in the European Union, then it is subject to the world’s toughest privacy and security law. Gaining an understanding of GDPR is essential for every business that collects personal data—like customer names, birthdays, emails, or home addresses—with big fines for not following it.

To help your organization learn to understand and follow GDPR principles, particularly Article 5, this comprehensive guide offers valuable insights and best practices.

Key takeaways

  • GDPR sets out six key data protection principles that organizations must follow.
  • The first principle highlights the importance of collecting data in a lawful and transparent manner.
  • Organizations must collect personal data for specific and limited purposes.
  • Data minimization is important for keeping data secure and accurate and for preventing breaches.
  • Storage limitation underscores the necessity of deleting personal data when it's no longer needed.
  • Integrity and confidentiality mean keeping personal data safe from unauthorised or unlawful processing and harm.

What are the 7 principles of the GDPR?

GDPR, or the General Data Protection Regulation, is the most extensive data protection and privacy law globally. The seven principles establish the rules for handling personal data, and Article 5 enforces them. In essence, Article 5 is a legal anchor that holds the entire GDPR structure together.

The 7 principles of GDPR include:

  1. Lawfulness, fairness, and transparency: Personal data must be processed legally, fairly, and openly.
  2. Purpose limitation: Data should be collected for specific, legitimate purposes and not used for unrelated reasons.
  3. Data minimization: Collect only necessary data for the intended purpose.
  4. Accuracy: Data must be accurate and kept up-to-date.
  5. Storage limitation: Don't keep data longer than necessary.
  6. Integrity and confidentiality (security): Protect data against unauthorized access and damage.
  7. Accountability and transparency: Organizations must demonstrate compliance and transparency in data processing.

Think of it like a set of rules created to protect people's privacy and personal data. Making sure that companies and websites can’t misuse it against someone’s wishes. It gives individuals more control over how their data is used. It makes companies and organizations accountable for how they handle personal information.

 7 principles of personal data processing

Failing to follow the GDPR rules and its general principles can have serious consequences for a company or website. They may face large fines for mishandling personal data or risk damage to their reputation and trustworthiness.

Principle 1: Lawfulness, fairness, and transparency

The first principle, lawfulness, means that organizations must have a valid legal reason to collect and use personal data. Fairness implies that data processing should not harm individuals and should be balanced and just. Transparency requires organizations to be clear and open about how they collect and use data.

Principle 1: Example

Lawfulness: An online retailer collects customers' addresses for shipping orders. It's lawful because it's necessary for fulfilling the sale.

Fairness: The retailer shouldn't use customers' addresses for unrelated purposes. For example, sending unsolicited marketing emails or selling the information to third parties. This would be unfair and constitute unlawful processing.

Transparency: The retailer should state that they collect customer addresses for shipping purposes. And should not be used for other reasons to ensure transparency.

Difference between personal and non-personal data under GDPR

Principle 2: Purpose limitation

The second principle of GDPR is about using personal information only for the reasons specified at the time of collection. GDPR ensures companies and websites stick to the original plan. Making it essential to get consent before contacting customers in any way that is not in line with the original intent.

Principle 2: Example

Any company that sends a receipt by e-mail can create a customer database. But, they have to gain the customer’s consent before using those email addresses for other purposes, such as marketing campaigns.

3 best practice tips to remember

  • Allow users to opt-in themselves rather than using pre-checked boxes on consent forms. Ask subscribers to verify their emails as an extra step when creating a mailing list.
  • Make it easy to unsubscribe by including a visible link in each correspondence.
  • Keep a record of your GDPR compliance, such as saving the emails and consent forms used to create a subscriber list.

Principle 3: Data minimization

The third principle of GDPR is about collecting only the necessary amount of personal data. What's important is not to gather any excessive or irrelevant information. This rule emphasizes data minimisation by using a less-is-more approach when it comes to data collection.

Principle 3: Example

If a tech company is making a fitness app, they should only ask for data related to fitness, such as height, weight, and daily steps. Asking for unrelated details, like favorite food or political views, isn't required for the app and doesn't follow GDPR rules.

Principle 4: Accuracy

The fourth GDPR principle, accuracy, highlights the importance of keeping personal data correct and up to date. Holding organizations responsible for ensuring the accuracy of the data they possess.

Principle 4: Example

There are many ways that companies can ensure they comply with this principle:

  • Allowing users to update their profile information easily
  • Verifying user data during registration
  • Conducting regular data audits to correct discrepancies
  • Sending notifications to prompt users to keep their information accurate

Principle 5: Storage limitation

This principle safeguards individuals' privacy by avoiding unnecessary storage of their personal information. It means that personal data should only be kept as long as needed for its intended purpose rather than indefinitely. Organizations should set a specific time frame and delete or anonymize the data once it's no longer necessary.

Lifecycle of personal data

Principle 5: Example

Consider an online store. If you create an account to buy things, the store has to keep your personal data for as long as it's needed to send your orders and help you with any issues. However, when you stop using the store or close your account, GDPR says the store must delete or make your data anonymous after a certain time. Keeping it forever would break the storage limitation rule.

Principle 6: Integrity and confidentiality

The sixth principle focuses on the security of personal data. It requires organizations to protect their data from threats. For example, unauthorized access, disclosure, alteration, or destruction. In simpler terms, it's about keeping personal information safe and secure.

Principle 6: Example

For example, think of your personal data as a secret diary. You'd want to keep it in a safe and lock it to ensure no one else can read it. Under GDPR, companies are required to keep their personal data safe, for example, by using strong passwords, encryption, and other modern security measures. This stops cybercriminals and unauthorized people from getting your information.

Principle 7: Accountability

The seventh principle is all about taking responsibility for your data practices. This means being open about how you collect, use, and safeguard personal data.

In simple terms, this principle is like a promise that companies make to their customers. They promise to be careful and responsible when using personal information. And they also promise to be honest and open about what they're doing with it. This way, individuals can trust that their data is being handled in a secure and fair manner.

Principle 7: Example

When an online marketing company follows GDPR's accountability and transparency principles, it means they have a clear privacy policy, obtain consent to collect data, share reports on how data is used, and let you request the deletion of your data. This approach gives you more control over how your data is used for marketing and builds trust by being open and clear.

Simplify your GDPR compliance with NordLayer

The seven GDPR principles mark a significant advancement in safeguarding personal data in the digital era. And sets a rigorous standard not only in the EU but also globally. This regulation has replaced the outdated Data Protection Directive and provides individuals with more control over their personal information. By promoting uniformity and cross-border data flow, GDPR plays a vital role in shaping data privacy and security for the future.

For fuss-free compliance with GDPR as well as other important regulations, NordLayer offers a suite of comprehensive solutions. Protect your organization from threats and harm resulting from bad data practices and stay up-to-date with security compliance wherever you are.


For how long can data be kept, and is it necessary to update it?

Your company should only keep data for as long as necessary and set clear limits for data deletion. There are special cases, like historical research, where data may be kept longer with security measures. Make sure the data is accurate and updated.

The duration for which data can be kept depends on various factors, including the purpose for which the data was collected and any legal or regulatory requirements. In general, data should be retained for the shortest period necessary to fulfill its intended purpose. This means that you should keep data only as long as it's needed for the reason it was collected.

As for updating data, it is essential to ensure that personal data is accurate and kept up to date. If the data becomes outdated or inaccurate, you should take steps to rectify or update it. This helps maintain the integrity and reliability of the data and is in line with the GDPR's accuracy principle. However, not all data needs constant updates; it depends on the nature of the information and how it's used.

How much data can be collected?

Personal data should only be used when there's no reasonable alternative method for handling it. Whenever possible, it's better to work with anonymous data. If personal data is required, it should be just enough for the task, and it's the responsibility of everyone in your company and not a data protection officer to determine how much data is necessary and to avoid collecting unnecessary information.

For example, a company that provides a food-delivery service might need to know the customer's name, address, and credit card details, but should never ask about a person's race or where they come from. That information is not needed for the food-delivery service and would be considered as unauthorized or unlawful processing.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.