Data protection principles under the GDPR
Produced in partnership with Pillsbury Winthrop Shaw Pittman LLP
Data protection principles under the GDPR

The following Financial Services guidance note Produced in partnership with Pillsbury Winthrop Shaw Pittman LLP provides comprehensive and up to date legal information covering:

  • Data protection principles under the GDPR
  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability
  • Exemptions to the principles

Brexit: On 31 January 2020, the UK ceased to be an EU Member State and entered an implementation period, during which it continues to be subject to EU law. During this period, the GDPR applies in the UK and the UK generally continues to be treated as an EU (and EEA) state for EEA and UK data protection law purposes. Any references to EEA or EU states in this Practice Note should therefore be read to also include the UK until the end of the implementation period. For further guidance on that period, its duration and the data protection laws that are anticipated to apply after the end of it, see Practice Note: Brexit—implications for data protection.

The General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) contains a set of core data protection principles that controllers must comply with. These are set out in Article 5, they include:

  1. the lawfulness, fairness and transparency principle

  2. the purpose limitation principle

  3. the data minimisation principle

  4. the accuracy principle

  5. the storage limitation principle

  6. the integrity and confidentiality principle

  7. the accountability principle

Recital 39 also offers additional guidance on each of the above.

The principles under the GDPR are broadly similar to those set out in the preceding Data Protection Act 1998 (DPA 1998), but with added detail at certain points and an additional principle of accountability,