Seven Principles of GDPR


The EU’s General Data Protection Regulation (GDPR) protects the personal data of those living within the European Economic Area (EEA). The GDPR principles lie at the core of this regulation. The GDPR sets out seven fundamental principles:

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality
  7. Accountability

Lawfulness, Fairness, and Transparency

This principle applies to how personal data is processed. The methods used to obtain personal data must be lawful. Personal data should be processed in a way consistent with how it was described to the data subject. Thirdly, data subjects must be fully informed about what and why data is being collected and how long it will be kept.

Purpose Limitation

The personal data collected must be limited to what the data subject has consented to. Data controllers must not collect data not needed to perform their processing duties.

Data Minimization

Personal data collection should be relevant and limited to what is needed for an organization to fulfill its service.


Personal data records should be accurate and up-to-date. Inaccurate data must be corrected or deleted.

Storage Limitation

Personal data should not be stored for longer than legally necessary.

Integrity and Confidentiality

Appropriate security measures must be in place to prevent unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures.


Organizations must confirm and demonstrate compliance with GDPR. Adhering to the accountability principle can include:

  • Keeping records that show your GDPR compliance to regulators,
  • Performing data privacy assessments to determine compliance and risks, such as a Data Privacy Impact Assessment (DPIA), or
  • Documenting a data map.



About Author

Senior IT Risk Analyst, Information Security and Assurance | Fordham University A Certified Information Privacy Professional/United States (CIPP/US) and Privacy Manager (CIPM) privacy professional who is a versatile and creative writer, fusing a background in communications and academics with expertise in business writing to deliver quality, customized material spanning technical, marketing, policy, and social media content. Creative, resourceful, and flexible, able to adapt to changing priorities and maintain a positive attitude, strong work ethic, and humor.

Comments are closed.