7 Principles of GDPR: What You Should Know

7 Principles of GDPR: What You Should Know

Share this content

Why are the 7 principles of GDPR important?

The 7 GDPR principles are fundamental principles of processing as prescribed under GDPR and form the backbone of any compliance program.

These principles have been derived over time from the International and European data protection laws. ‘Convention 108’ was the first internationally binding instrument to come up with data protection principles. The principles outline the obligations that must be adhered to whenever the personal data is collected, processed, and stored about an individual.

In the European context, the Data Protection Directive incorporated fundamental data protection principles. Although the principles are like those found under the Directive, GDPR has ensured a greater level of compliance as the principles are more detailed and take into account advancements in technology.

These principles are the building blocks of the regulation and should be implemented in every aspect of compliance. Failure to comply will set the highest administrative fine up to €20 million or 4% of your total worldwide annual turnover, whichever is higher.

What are the 7 principles of Processing?

We aim to go through each of the 7 principles to familiarise the readers with the basics of the GDPR. The principles are as follow: -

Lawfulness, fairness, and transparency

Lawfulness, the principle aims to ensure that there is a reason for the processing of personal data. It relates to adopting the proper lawful basis or legal reasons for the processing of personal data. There are majorly 6 scenarios in which you can process personal data: -

  1. The user must have provided consent to carry out the processing.
  2. The processing must be necessary for the performance of a contract related to the data subject.
  3. It is necessary for complying or fulfilling a legal obligation.
  4. To protect the vital interests of any natural person
  5. To carry out the processing for the performance of a task in the public interest.
  6. Processing is necessary for the legitimate interest of the controller and the controller can ensure that it does not override the data subjects’ rights and interests.

Fairness, if the data subjects know how their data will be processed and think it is an appropriate use. Fairness overall ensures that users data won’t be mishandled or misused once collected.

Transparency, being clear and open data subjects when processing personal data. The controller should always communicate with the individuals about how their data will be used.

Purpose Limitation

Purpose limitation means that the entity collecting and using data must be sure about the particular purpose for which the personal data of the individuals will be used. The purpose must be well defined and properly communicated. For example, the data collected by a doctor for health check cannot be then shared with the insurance company as it will be considered incompatible with the original purpose.

Data Minimisation

It means that the controller should restrict the collection of personal data to the extent which is directly relevant and necessary to achieve a specific purpose. It should always be ensured that the data collected is necessary and proportionate to accomplish a specified purpose. For example, collecting a large amount of data that is excessive for what the controller aims to accomplish will be considered disproportionate.


Data controllers have the responsibility to verify the authenticity of the data the company holds. The rationale behind this principle is to encourage the controller to set up checks and balances to update and maintain the personal data that you process on regular basis. Conducting periodical accuracy checks or audits of the data inventory is the best way to abide by the principle.

Storage Limitation

It simply means that the personal data must not be kept for longer than necessary and should be securely deleted unless there is a rationale for retaining it. For example, the personal data collected for a recruitment process should be deleted once the recruitment is over.

Integrity and confidentiality

It is interlinked with information security. The principle essentially means data controllers should proactively plan to protect personal data from any unauthorised or unlawful processing activity. The controller should be diligent to prevent data from any accidental loss, damage or destruction. The principle aims to promote organisation-wide measures related to information security.


Accountability simply refers to being responsible for data privacy compliance and maintaining records as proof of compliance with the data protection principles. To ensure accountability, the controller must document every step of the compliance journey and provide evidence of steps taken. For example, maintaining a document of processing activity or appointment of DPO.


The General Data Protection Regulation (GDPR) embraces the 7 data protection principles to provide an organisation with a guide on how to best manage their personal data and secure compliance with the law.


This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.

November 30, 2021

Frequently asked questions

Do I need to connect all my tools and third parties?

We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools.  There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.

What is the scope of my privacy policy?

Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!

Do I need to replace my current policy for the privacy portal?

We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.

Do I need help filling out my details?

Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.

Why can’t I just use a template and add it to my website myself?

A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.

What if you don’t have the tools and third parties that I have?

We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.

Which plan should I choose?

Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.

Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.

Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.

Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.

Feel free to get in touch to discuss our GDPR Compliance Software solution.

How easy is it to set up?

Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!

What size companies is Privasee aimed at?

Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.

I already have a privacy policy, do I need Privasee?

You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.

Still have questions?

We are here to help