The GDPR Principles and What They Mean For Your Business

Six plus one GDPR Principles

The process of ensuring your business is (and remains!) GDPR compliant begins with step one: understanding. Implementing refreshed systems, updating your terms of service, or even renewing your contractual agreements, cannot be initiated before you and your team fully understand the GDPR principles. The GDPR principles are outlined in Article 5, and while there are, indeed, seven principles upon with the GDPR is founded, they’re historically referred to as six plus one! 

Data subjects

Before we talk about the GDPR principles and how they affect your business,  let’s talk about the concept of a data subject. A data subject is, simply put, the person to whom the data you’re processing or managing belongs. A data subject can have any number of pieces of information attached to them, identifiable by a customer or reference number. Data subjects have other identifiers too, and those can be the very information you have power over. This could include demographic information, financial information, or personal information. The GDPR principles your company’s data processing must adhere to include: 

Lawfulness, fairness, and transparency

In terms of the first GDPR principle, your business must process, store, and use your data subjects’ information in a legal, fair, and transparent manner. For it to be:

  • Lawful: It can only be used for the purposes your data subject has been informed of and has given permission for. There must be legal reasoning for obtaining this information. Your business will need to identify robust requirements for obtaining this information and the process of data collection must abide by all legal requirements. Any deviation from the law in this regard could result in a fine and/or other consequences.
  • Fair: It can only be used for the purposes your data subject has consented to or can reasonably expect. For example, your business can’t just use the information given to it, for a customer testimonial. You’ll need to request consent for doing that before you add it to your website. 
  • Transparent: The information your company obtains and uses must be processed in such a way that your data subjects, customers, and users understand the purpose behind its usage, and just how it will be used. Transparency is best begun in the terms and conditions of your contracts, and making them as clear as possible is important. 

Purpose limitation

The information your company collects can only be used for the purposes your data subjects have agreed to, or been informed of. If your business does need to use the information collected for a secondary purpose, you’ll need to ask your customer or supplier to agree to that process upfront too or offer your customers an opt-out clause. For example, you can’t simply use your customer contacts database for marketing a second business, that’s unrelated to what they signed up for in the first place. 

Data minimisation

Collecting as little information as possible is important, in terms of this GDPR principle. That may seem nonsensical at first, but this principle aims to remove unnecessary data collection and protect data subjects from being forced to share information they may not feel comfortable sharing. Being forced to hand over unnecessary personal information, just so you can sign up to a mailing list for an ice-cream shop is out. 


This should be the first principle of all things, in my view, but then I’m just a girl who is still being addressed by a financial institution, with an incorrect surname and marital status…and have been for about 15 years now! Ensuring your business not only captures accurate information, but ensures it stays up to date, is critical, both as a business function and in terms of your GDPR compliance level.

Storage limitation

Limiting the storage of your customer information has very little to do with the size of your server, but rather the length of time you keep someone’s information for. Generally speaking, you are compelled to delete personal information relating to your data subject, the moment your business no longer needs it, or is no longer required by law to keep it. Similarly, you’ll need to tell your customers about how long you need their data for, upfront. 

Integrity and confidentiality

Here’s the big one! Ensuring the information your business stores and uses is secured, remains confidential, and is insured against accidents. Yes! The data your company collects, keeps, and uses does need to be insured. And yes, data leaks are not the responsibility of your users to rectify – if a breach happens, it’s up to you to be aware of it, communicate about it, and resolve it. 


This is the ‘plus one’ principle: accountability. Ensuring your business is GDPR compliant is not the job of your service provider, nor your outsourced consultant: it’s yours. Your business must be able to demonstrate that it is GDPR compliant, and it’s up to nobody else but you. That’s why your business needs data protection contracts, full documentation, and simplified processes that ensure you can prove you’re accountable and compliant, with ease. 

Upon the first read, these GDPR principles can seem scary and onerous to tackle. But, at ProPrivacy, we make it easy for you. Get in touch with our team, and we’ll help your business set a path towards GDPR compliance.


Get in touch with ProPrivacy team and we’ll help you roll out a GDPR compliance programme that covers every requirement.


Philipa Jane Farley

Written By Philipa Jane Farley

Philipa is the lead consultant and auditor at ProPrivacy.  With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide.  Philipa’s passion is manageable data compliance for SMEs.

Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.

Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.

ProPrivacy | GDPR Privacy Cyber Security in Cork, Ireland