The data protection principles

The UK GDPR regime is based on a set of core data protection principles. Article 5(1) of the UK GDPR specifies six data protection principles that apply when any personal data is processed. An employer who carries out any form of data processing must comply with these. They are:

• lawfulness, fairness and transparency — all personal data must be processed lawfully, fairly and transparently;

• purpose limitation — data must be collected for specified, explicit and legitimate purposes and not processed in a way that is incompatible with those purposes;

• data minimisation — data must be adequate, relevant and limited to what is needed to achieve those purposes;

• accuracy — data must be accurate and up to date. Every reasonable step must be taken to ensure inaccurate personal data is erased or corrected without delay;

• storage limitation — data must be kept in a form that allows identification of data subjects for no longer than necessary, considering the purposes for which data is processed; and

• integrity and confidentiality — data must be processed securely, with protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

It is up to the employer to demonstrate that they have complied with the above six principles in accordance with Article 5(2). Accountability is therefore considered a further fundamental principle of data protection law.