The Article 5 Principles: The Backbone of the GDPR

Aiming for GDPR compliance? Start by reading and understanding the seven principles that appear in Article 5.

The GDPR’s “principles of data processing” underpin all the law’s other provisions – get the principles right, and you’ll have a solid foundation for properly implementing every obligation relevant to your business.

Lawfulness, Fairness, and Transparency

• Always identify a “legal basis” for using, collecting, or sharing personal data.
• Use people’s data in ways they would reasonably expect.
• Be honest and open about how you use personal data.

Examples:

• Determine the appropriate legal basis for any processing activity—for example, getting consent for cookies or sending unsolicited marketing.
• Consider other legal obligations that run alongside the GDPR.
• Maintain a comprehensive privacy policy, and provide other notices where required.

Purpose Limitation

• Only use or collect personal data for “specified, explicit, and legitimate” purposes.
• If you need to process personal data for further purposes, ensure they are consistent with your original purpose for collecting the data.

Examples:

• If you’ve collected personal data to carry out a transaction, you can’t automatically re-use it for marketing.
• For some purposes, it’s better to use non-personal or anonymised data.
• State your purposes in your privacy policy, collection notices, and consent requests.

Data Minimisation

Only collect and use data that is “adequate, relevant, and limited to what is necessary.”

Examples:

• Want to send someone your newsletter? You probably only need their email address—don’t ask for any other data unless you need it.
• Take regular audits of the personal data you’re storing and delete anything you don’t need.
• Don’t overload your website or app with unnecessary cookies and trackers.

Accuracy

Make sure the personal data you control is accurate and up to date.

Examples:

• Have a system for updating employees’ or customers’ personal data—for example, when they move house or change their email address.
• Respond quickly when someone requests to correct inaccurate personal data.
• Make sure you inform data processors about any changes you’ve made to records of personal data, where appropriate.

Storage Limitation

Don’t keep personal data for longer than you need it.

Examples:

• When someone closes their account with your company, you might be able to delete all their personal data—or you might need to retain some for specific purposes.
• Make sure you’re obeying any data retention laws—for example, regarding employees’ salary data.
• Tell people how long you intend to store their data at the point that you collect it.

Security

Use “technical and organisational measures” to keep personal data secure.

Examples:

• Maintain clear internal policies relating to data protection and security.
• Protect personal data using technical measures like multi-factor authentication (MFA), encryption, and access controls.
• Make sure everyone on your team understands their data security obligations—including when working from home.

Accountability

You’re responsible for your compliance with the GDPR’s principles—and you must be able to demonstrate your compliance.

Examples:

• Make sure you have a clear, documented programme for achieving and maintaining GDPR compliance.
• Appoint staff members to data protection roles—such as by appointing a Data Protection Officer and EU or UK Representative, if necessary.
• Keep records of your data processing and decision-making activities.