Almost every requirement in the GDPR — from consent and security to data subject rights and breach reporting — traces back to seven core principles set out in Article 5. Master these and you have a mental model for the entire regulation, plus a reliable test for whether any data-handling decision supports your wider GDPR compliance.
The principles are not abstract ideals. Regulators expect to see them reflected in your policies, systems and day-to-day decisions, and breaching them sits in the higher fine tier. Below we explain each one in plain terms, with examples and common pitfalls, then show how to put them into practice.
The seven principles at a glance
Before the detail, here are all seven in one view. Article 5(1) lists the first six; Article 5(2) adds accountability, which obliges you to demonstrate the rest.
| Principle | What it requires in practice |
|---|---|
| Lawfulness, fairness & transparency | Have a valid legal basis, act fairly, and tell people clearly how you use their data. |
| Purpose limitation | Collect data for specified, explicit purposes; don’t reuse it incompatibly. |
| Data minimisation | Collect only what you genuinely need for that purpose. |
| Accuracy | Keep data correct and up to date; fix or erase errors without delay. |
| Storage limitation | Keep data only as long as necessary, then delete or anonymise it. |
| Integrity & confidentiality | Protect data with appropriate technical and organisational security. |
| Accountability | Be able to demonstrate compliance with all of the above. |
Notice how they build on each other: you need a reason to process data, you limit what you collect and how long you keep it, you keep it accurate and secure, and you can prove you did all of this. Skip any one and the others start to unravel.
1. Lawfulness, fairness and transparency
This first principle has three linked parts. Lawfulness means identifying a valid lawful basis — such as consent, contract or legitimate interests — before you process any personal data. Fairness means using data only in ways people would reasonably expect, without deceiving them or causing unjustified harm. Transparency means telling people clearly, usually through a privacy notice, who you are, what you do with their data and why.
A common pitfall is treating this as a box-ticking exercise. Burying key information in dense legal text, or quietly using data for a purpose the person never anticipated, breaches the principle even if a lawful basis technically exists. The test is whether an ordinary person would feel misled if they saw exactly what you were doing.
Free resource
The Ultimate Guide to GDPR
A practical, plain-English guide to scoping, implementing and proving compliance.
2. Purpose limitation
You must collect personal data for specified, explicit and legitimate purposes, state those purposes up front, and not later use the data in a way that is incompatible with them. This stops “function creep”, where data gathered for one reason gradually gets reused for unrelated ones.
For example, if you collected email addresses solely to deliver a service, repurposing that list for unrelated third-party marketing without a fresh basis or notice crosses the line. Some further uses are compatible — archiving, statistics or genuine internal analytics often are — but you should assess and document compatibility rather than assume it.
3. Data minimisation
Hold only the personal data that is adequate, relevant and limited to what is necessary for your purpose. Every extra field you collect “just in case” increases your risk surface, your storage cost and the harm if you suffer a breach — without adding real value.
In practice, minimisation means challenging each item on a form or in a database: do we actually need a date of birth, a phone number, a full address? Could we use a less identifying value, or none at all? Designing for minimisation up front is far easier than stripping data out later, and it directly reduces your exposure under every other principle.
4. Accuracy
Personal data must be accurate and, where necessary, kept up to date. You must take reasonable steps to erase or rectify inaccurate data without delay, especially where decisions about people depend on it — credit, eligibility, employment and the like.
Accuracy is not a promise that every record is perfect forever; it is an obligation to have sensible processes for catching and correcting errors. Letting customers update their own details, periodically validating key data, and acting promptly on rectification requests all satisfy this principle.
Handled well, this is one more building block of practical GDPR compliance.
5. Storage limitation
Don’t keep personal data in an identifiable form for longer than you need it. Set retention periods tied to the purpose, document them in a retention schedule, and delete or anonymise data when it is no longer required.
Indefinite retention “in case it’s useful one day” is one of the most common failings regulators see. If you genuinely need data for analytics or research, anonymising it — so individuals can no longer be identified — takes it outside GDPR entirely and lets you keep the value without the risk.
6. Integrity and confidentiality (security)
You must protect personal data with appropriate technical and organisational measures against unauthorised access, loss or damage. This principle maps directly onto the security obligations in Article 32 — encryption, access controls, logging, backups and resilience.
“Appropriate” is risk-based: the measures expected for a marketing list differ from those for health records. The point is to make deliberate, documented security decisions proportionate to the sensitivity of the data and the harm a breach would cause, and to review them as threats evolve.
7. Accountability
The seventh principle ties the others together: you must be able to demonstrate compliance, not merely assert it. That means maintaining records of processing, policies, risk assessments, training logs and evidence that your controls actually operate.
Accountability is what turns GDPR from a one-off checklist into an ongoing discipline. It is also your best protection: if something does go wrong, being able to show a regulator that you took data protection seriously — with documented decisions and reasonable controls — dramatically changes how an incident is judged.
Putting the principles into practice
The principles work best as a standing checklist for every new project, feature or vendor. Before you process anything, ask: what is our purpose and lawful basis; what is the minimum data we need; how will we keep it accurate; how long will we keep it; how will we secure it; and how will we record these decisions? Build those questions into design reviews and procurement, and you satisfy the bulk of GDPR by default rather than as an afterthought.
The hardest part is usually accountability — producing and maintaining the evidence — because it spans people, process and technology. ISpectra Technologies helps teams translate the seven principles into concrete policies, controls and records, so compliance is something you can demonstrate on demand rather than scramble to reconstruct.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
How the principles connect to the rest of GDPR
Once the seven principles are clear, the rest of the regulation reads as detail rather than a wall of new rules. Lawful bases and consent give effect to lawfulness; privacy notices deliver transparency; retention schedules implement storage limitation; Article 32 controls satisfy integrity and confidentiality; and records of processing, DPIAs and training are how you evidence accountability.
Data subject rights flow from the same source: the right of access supports transparency, rectification supports accuracy, and erasure supports storage limitation. So rather than memorising dozens of separate obligations, anchor on the principles and ask how each rule serves one of them. That single habit makes GDPR easier to apply consistently — and far easier to defend if a regulator ever asks why you made a particular decision.