There are seven general principles set out in GDPR article 5.

Lawfulness, fairness, and transparency

Personal data related to a data subject should be processed lawfully, fairly, and in a transparent manner. To achieve this goal, one needs to have a thorough understanding of the GDPR regulations.

Purpose limitation

Personal data should be collected for a specific, explicit, and legitimate purpose.

Data minimization

Any personal data collected should be adequate and limited to what’s necessary for the purposes for which they are processed. By following this principle, two key benefits are achieved: 1) Potential damage is minimized in the event of a data breach, and 2) The amount of data that needs to be maintained to stay accurate is limited.

Accuracy

Maintaining the accuracy of personal data is essential to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.

Storage limitation

Personal data that allows identification of the data subject shall be kept only as long as necessary to fulfill the processing purpose. This will normally be the period of a business relationship.

It’s important to note that such personal data may be stored longer as long as it will only be processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. Check GDPR article 89 for further details.

Integrity and confidentiality

Personal data shall be processed in a way that ensures appropriate security (protection against unauthorized or unlawful processing, loss, destruction, or damage of the data), which requires suitable technical and/or organizational measures.

GDPR does not state specific requirements due to the constant evolution of technology and best practices. Current standards involve data encryption and pseudonymization where possible.

Accountability

The data controller shall be responsible for and be able to demonstrate compliance with the above six principles.