• 16 Aug 2023
• •
• 2 min read

Data Protection - What are the Data Protection Principles and why are they important?

UK data protection law sets out seven principles which organisations need to comply with when handling personal data.

The Information Commissioner’s Office (the ICO) describes the principles as follows: “They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime – and as such there are very limited exceptions. Compliance with the spirit of these key principles is therefore a fundamental building block for good data protection compliance.”

The principles require that organisations ensure that personal data is:

1. processed lawfully (i.e. the organisation has a lawful basis to process the personal data), fairly (i.e. in a way that an individual would expect) and in a transparent manner;
2. collected for specified, explicit and legitimate purposes and not then further processed in a manner that is incompatible with those purposes (the ICO says “As a general rule, if the new purpose [for which you want to use the personal data] is either very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is likely to be incompatible with your original purpose. In practice, you are likely to need to ask for specific consent to use or disclose data for this type of purpose.” So an example might be organisation A selling a list of its customers to whom it has sold garden furniture to organisation B so that organisation B can make marketing calls to organisation A’s customers to try and sell them hot tubs;
3. adequate, relevant and limited to what is necessary given the purposes for which the personal data is processed (i.e. if you only need information to deliver an order of goods to a customer don’t also ask for their data of birth, country of birth and nationality);
4. accurate and kept up to date. Every reasonable step must be taken to ensure that inaccurate data is erased or rectified without delay;
5. kept for no longer than is necessary for the purpose for which it was collected (i.e. have and keep under review data retention periods); and
6. kept secure using appropriate technical or organisational security measures.

The seventh principle puts the responsibility on controllers to comply with the above six principles and to be able to demonstrate compliance with those principles.

In simple terms, these seven principles should guide your data protection compliance in all areas of your organisation.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].