The 6 Principles Underpinning Data Protection.

The GDPR requires organisations to be able to prove [this is known as ‘accountability’] that they comply with the following principles:

Simply put these are that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to an individual;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes [known as ‘purpose limitation’];
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed [known as ‘data minimisation’];
  4. accurate and, where necessary, kept up to date;
  5. kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed; [known as ‘storage limitation’];
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures [known as ‘integrity and confidentiality’].

The Implications For Your Business…

Organisations may also be required to:

  • ensure they have legal grounds to process personal data
  • if consent is the ground make sure they have proof
  • take extra care when dealing with children
  • provide privacy information to individuals
  • take extra care of more sensitive data and data relating to crime
  • tell individuals what is happening with their personal data
  • respond to requests by individuals to exercise their data protection rights
  • put in place measures to show they comply with the law
  • to incorporate data protection at the design stage
  • to ensure that data protection is carried out by ‘default’
  • define their relationship with any ‘joint controllers’
  • appoint an EU or UK representative
  • to carry out due diligence upon and have proper agreements with data processors
  • to create and maintain a Record of Processing Activities
  • to keep personal data secure
  • to respond appropriately to personal data breaches
  • to undertake Data Protection Impact Assessments
  • to appoint a Data Protection Officer
  • to lawfully transfer personal data out of the UK

Organisations also need to comply with the Data Protection Act 2018. This, amongst other matters, sets out how to lawfully process certain types of ‘special category’ personal data as well as what ‘exemptions’ might apply when dealing with a request by an individual to exercise their data protection rights.

Organisations should also adhere to the Privacy and Electronic Communication Regulations of 2003 which set out the rules for Cookies and other tracking technologies and the rules around electronic marketing to individuals.

We can assist with all of the above.

For further information please contact us.

Compliance 2

Gap Analysis / Auditing


Data Protection Officer


Data Breach Service

Software Licensing

Information Security

Legal Services


Marketing To Individuals





Data Subject Right Service


GDPR Representatives

Please contact us to arrange a free no obligation telephone discussion.