The GDPR Principles and What They Mean For Your Business

Six plus one GDPR Principles

The process of ensuring your business is (and remains!) GDPR compliant begins with step one: understanding. Implementing refreshed systems, updating your terms of service, or even renewing your contractual agreements, cannot be initiated before you and your team fully understand the GDPR principles. The GDPR principles are outlined in Article 5, and while there are, indeed, seven principles upon with the GDPR is founded, they’re historically referred to as six plus one! 

Data subjects

Before we talk about the GDPR principles and how they affect your business,  let’s talk about the concept of a data subject. A data subject is, simply put, the person to whom the data you’re processing or managing belongs. A data subject can have any number of pieces of information attached to them, identifiable by a customer or reference number. Data subjects have other identifiers too, and those can be the very information you have power over. This could include demographic information, financial information, or personal information. The GDPR principles your company’s data processing must adhere to include: 

Lawfulness, fairness, and transparency

In terms of the first GDPR principle, your business must process, store, and use your data subjects’ information in a legal, fair, and transparent manner. For it to be:

  • Lawful: It can only be used for the purposes your data subject has been informed of and has given permission for. There must be legal reasoning for obtaining this information. Your business will need to identify robust requirements for obtaining this information and the process of data collection must abide by all legal requirements. Any deviation from the law in this regard could result in a fine and/or other consequences.
  • Fair: It can only be used for the purposes your data subject has consented to or can reasonably expect. For example, your business can’t just use the information given to it, for a customer testimonial. You’ll need to request consent for doing that before you add it to your website. 
  • Transparent: The information your company obtains and uses must be processed in such a way that your data subjects, customers, and users understand the purpose behind its usage, and just how it will be used. Transparency is best begun in the terms and conditions of your contracts, and making them as clear as possible is important. 

Purpose limitation

The information your company collects can only be used for the purposes your data subjects have agreed to, or been informed of. If your business does need to use the information collected for a secondary purpose, you’ll need to ask your customer or supplier to agree to that process upfront too or offer your customers an opt-out clause. For example, you can’t simply use your customer contacts database for marketing a second business, that’s unrelated to what they signed up for in the first place. 

Data minimisation

Collecting as little information as possible is important, in terms of this GDPR principle. That may seem nonsensical at first, but this principle aims to remove unnecessary data collection and protect data subjects from being forced to share information they may not feel comfortable sharing. Being forced to hand over unnecessary personal information, just so you can sign up to a mailing list for an ice-cream shop is out. 


This should be the first principle of all things, in my view, but then I’m just a girl who is still being addressed by a financial institution, with an incorrect surname and marital status…and have been for about 15 years now! Ensuring your business not only captures accurate information, but ensures it stays up to date, is critical, both as a business function and in terms of your GDPR compliance level.

Storage limitation

Limiting the storage of your customer information has very little to do with the size of your server, but rather the length of time you keep someone’s information for. Generally speaking, you are compelled to delete personal information relating to your data subject, the moment your business no longer needs it, or is no longer required by law to keep it. Similarly, you’ll need to tell your customers about how long you need their data for, upfront. 

Integrity and confidentiality

Here’s the big one! Ensuring the information your business stores and uses is secured, remains confidential, and is insured against accidents. Yes! The data your company collects, keeps, and uses does need to be insured. And yes, data leaks are not the responsibility of your users to rectify – if a breach happens, it’s up to you to be aware of it, communicate about it, and resolve it. 


This is the ‘plus one’ principle: accountability. Ensuring your business is GDPR compliant is not the job of your service provider, nor your outsourced consultant: it’s yours. Your business must be able to demonstrate that it is GDPR compliant, and it’s up to nobody else but you. That’s why your business needs data protection contracts, full documentation, and simplified processes that ensure you can prove you’re accountable and compliant, with ease. 

Upon the first read, these GDPR principles can seem scary and onerous to tackle. But, at ProPrivacy, we make it easy for you. Get in touch with our team, and we’ll help your business set a path towards GDPR compliance.


Get in touch with ProPrivacy team and we’ll help you roll out a GDPR compliance programme that covers every requirement.

Cath Jenkin
Written By Cath Jenkin

As a communications consultant and freelance writer, Cath has helped more than 100 brands, businesses, and people, find the right words to tell their important stories. Cath points her cursor and bashes her keyboard to create useful, reliable content for people who want to learn more about blockchain technologies, finance, property, online safety & information security.