GDPR: The Six Data Processing Principles


Article 5 of the GDPR sets out the six principles of processing data – it is the very heart of the GDPR and should form the centre point of any data management strategy.

The Six Data Processing Principles

From the GDPR, Article 5:
Personal data shall be:

(1) processed lawfully, fairly and in a transparent manner

(2) collected for specified, explicit and legitimate purposes

(3) adequate, relevant and limited to what is necessary

(4) accurate and, where necessary, kept up to date

(5) kept … for no longer than is necessary

(6) processed in a manner that ensures appropriate security of the personal data.

This article will look at each of these principles.

Principle 1 – Lawful, Fair, Transparent

Personal data shall be:

“processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)”


What makes the processing of personal data lawful is outlined in Articles 6 and 9 of the GDPR. Article 6 deals with the ‘typical’ legal cases for processing data, which are:

(a) the data subject has given consent to the processing for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party [the important part here is that the data subject must be a party to this contract. It doesn’t give you the right, for example, to collect personal data on somebody because your market research company signed a contract with a company promising they would!]

(c) processing is necessary for compliance with a legal obligation to which the controller is subject; [this might include data relating to the paying of taxes, including in payroll]

(d) processing is necessary in order to protect the vital interests of the data subject

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller

In addition to this requirement, if the personal data falls into the ‘special’ category of data, which includes ‘data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’ then a different set of legal cases must apply:

From Article 9 of the GDPR:

(a) the data subject has given explicit consent;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject

(c) processing is necessary to protect the vital interests of the data subject

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union aim.

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of legal claims

(g) processing is necessary for reasons of substantial public interest.

In order to lawfully process any of the special categories of data listed above, you must first have a legal basis to do so. So for special categories of data you need at least one reason from each list before you can proceed.


The personal data must be processed fairly.

Articles 13 and 14 spell out exactly how the personal data can and should be processed fairly, and has a comprehensive list of pieces of information that must be provided:

  • The identity of the Data Controller, including with contact details.
  • The identity of the Data Protection Officer, where applicable.
  • The purpose for processing, as well as the legal basis for doing so.
  • If your intention is to share with or pass the data onto a third-party, you must reveal it.
  • If the data is going to be stored in or sent to a different country, you must reveal it.
  • The period of time the that data will be stored for.
  • The right to rectification, erasure, restriction and objection.
  • The right to withdraw consent at any time.
  • The right to complain to a supervisory authority.
  • Any consequences of not providing the data.
  • The existence of any automated decision-making processes, like automatic CV screening for example.

Article 14 deals with additional rules that come into play If the data has been collected from a third-party source, such as a marketing company or the public record. This has all the requirements of Article 13 with the additional point that you must disclose where you got the information from.

You cannot do anything with third-party personal data before you have requested consent from the data subject – served them with a Privacy Notice.


Transparency in the context of the GDPR means essentially that you are clear and straight with your data subjects and potential data subjects.

You must have legitimate grounds for collecting and using the data, and be transparent about the reason. If you are looking for people who might like to buy a new lawnmower, it is not enough to say you are collecting data about people who enjoy gardening (and then try to sell them a lawnmower).

You must make the process as clear and fair as possible. The explanation(s) must be straightforward and not hidden in nonsense and wordplay. (e.g. “Tick this box if you don’t want to not unreceive no marketing communication” is perhaps an extreme example but you get the point!)

Principle 2 – Specified, Explicit and Legitimate

Principle 2 is linked in many ways to the ‘Transparency’ element of Principle 1. It is all about being clear and honest about what personal data you are collecting and what you intend to do with it.

From Article 5 of the GDPR:

Personal data shall be:


“Collected for specified, explicit and legitimate purposes and not further processed in a

manner that is incompatible with those purposes”



You need to inform the data subject what exactly you intend to use the data for.

To be able to demonstrate compliance, you need to be confident that any uses of the personal data were ‘covered’ with the initial request. If you can’t make the case that they were, then you need to either request consent for the new type of data processing, or inform the data subject of the new data processing with whichever legal right you decide fits.


You cannot use general terms in order to give you carte blanche to use the personal data however you wish. You must be explicit in your intended use. Phrases such as ‘as per the needs of the business’ or ‘and our selected partners’ are too wooly and vague to satisfy this criteria.


Having a legitimate interest in the personal data is reasonably straightforward. Most things that personal data is currently used for is legitimate. Direct Marketing, for example, is perfectly legitimate.  Fraud prevention might be another legitimate reason, as could being compliant with legal obligations.

Bear in mind that the data subject has the right to know what you are planning to do with the information. Without that, there are no real grounds to be able to claim legitimacy.

Principle 3 – Adequate and Limited to What is Necessary

Article 5 of the GDPR states that Personal Data shall be:

“Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”

Data Minimisation

This simply means you must gather exactly the amount of data you need to perform the task you are using the data for – no more, no less.

With each individual piece of data you should be able to satisfy the following two questions:

  1. Why do I need the data?
  2. How am I going to use it?

If you don’t have a specific answer to each question then there is no justification for requesting the data. This doesn’t really limit you in any real sense, but rather challenge you to save everyone time and energy by asking for, and processing, exactly what you need and no more.

Principle Four – Accurate and Up to Date

Article 5 of the GDPR states that Personal Data shall be:

“Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”

You should take reasonable steps to ensure the data you collect is accurate, and the magic word here is ‘reasonable’. The GDPR is not adding layers of complexity or new regulations regarding how you do this – in most cases, the existing methods of ensuring accuracy will be fine.

I’m sure you already have a system in place to ensure data on current employees is kept up to date, whether that is an annual data checkup, or another system – and that will no doubt be fine to continue with.

When it comes to data on past employees that’s a decision for the individual company. It may very well be necessary to keep this data up to date at least for, say, twelve months, due to final payroll details, references and more. After a certain amount of time has passed it may be worth considering removing the personal data rather than trying to keep it up to date.

Principle Five – Kept for No Longer than Necessary

The GDPR says the Personal Data shall be:

“Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

In a nutshell, this means you shouldn’t keep personal data for longer than is necessary to complete the task for which you collected it in the first place.

This principle is probably, strictly speaking, one of the more disruptive ones to show compliance with. Indeed whether organisations will comply, or will be penalised for not complying, remains to be seen as the GDPR comes into effect.

To demonstrate compliance you should consider all the personal data you currently hold, what (if any) policy of data removal you have and how that process is documented.

Customer databases are of significance here – just how long do you keep a customer’s details for once they have become a customer? In most cases the answer is ‘until the end of time’. If that is the case, it may be necessary to declare this at the point the data is collected.

Principle Six – Secure

The GDPR says the Personal Data shall be:

“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”

You should be able to demonstrate that you have a level of security in place that is appropriate to the type of data you are holding and the negative effects a breach of that security would create.

Bear in mind that you may wish to give your data subjects access to their data to conform with other aspects of the GDPR, so security should be considered here too.

You should be clear in your organisation about who is responsible for ensuring information security, and where necessary introduce the systems, technology and training to ensure you can demonstrate a robust, secure framework.

You should also have a policy in place for dealing with data breaches. Bear in mind that you have only 72 hours to report a data breach to the relevant authority (where required) and quick, appropriate action may save you from a fine (or mitigate it) once the dust has settled.


The GDPR is a big deal. While we’re attempting to create a readable and accessible introduction to the GDPR, our comments here should not be considered legal advice. The best individual place for GDPR information in the UK is the ICO Website. You may also wish to obtain your own legal advice, which, again, this is not.

The author, Michael Horner, is a member of the CIPD and an enthusiastic student of the GDPR . Email him here, follow him on twitter or add a comment below.