GDPR Principles

The General Data Protection Regulation (GDPR) gives EU citizens and residents more control over their data—implementing data rights and increasing oversight for organizations processing personal data.

A complex piece of legislation with 99 articles that cover everything from the definition of consent to rules on data portability, the GDPR has seven unifying principles.

Lawfulness, Fairness, and Transparency

Data processing must be done “lawfully, fairly, and transparently”—meaning data controllers need to identify and document at least one lawful basis for any personal data processing. They must also provide detailed information about their data processing in an easily accessible format that uses clear language.

Purpose Limitation

Purpose of processing should be determined at the time of collection and any subsequent use should be limited to that purpose.

If it becomes necessary to use the data for another purpose, this should only occur if the new purpose is compatible with the original one. Data collected for one purpose may not be used for another purpose without consent from the individual, unless it’s otherwise permitted by law.

Data Minimization

Data minimization requires that companies only collect the information they need to complete a specific task.

Under this principle, the personal data you collect should be limited and relevant to what’s strictly necessary. In other words, if you don't need all of it, don't keep all of it!

By minimizing the amount of personal data collected, controllers can also reduce data security risk and further protect individuals' rights.

Storage Limitation

Data controllers must ensure personal data is stored in a format that allows for data subject identification only as long as is strictly necessary.

Personal data may be stored for longer periods only if it's used for archival purposes, historical or scientific research, or statistical analysis—all of which are still subject to the relevant safeguards required by GDPR.


Data controllers must ensure personal data is accurate and up-to-date. If the data is found to be inaccurate, the data controller must correct or erase the data.

Integrity and Confidentiality

Data controllers must protect personal data using security measures appropriate for the context. These measures must work to prevent data loss, destruction, and unauthorized or illegal processing.