%201.svg)
A clear guide to the seven principles of UK GDPR — lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability — with practical detail and current ICO guidance.
Every requirement in UK GDPR ultimately ties back to seven principles set out in Article 5. They are not aspirations or best practices. They are legal obligations, and the burden of proving you meet them sits with you, not with the regulator.
Six of the seven principles describe how personal data must be handled. The seventh — accountability — requires you to be able to demonstrate that you meet the other six. The accountability principle is what turns GDPR from a values statement into a documentation regime.
This guide covers each principle in detail, with practical context for how it applies in a working organisation.
The 7 principles of GDPR at a glance
Article 5 of the UK GDPR lists six principles in paragraph 5(1) and the accountability principle separately in 5(2). Together they are:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Accuracy.
- Storage limitation.
- Integrity and confidentiality (commonly called the security principle).
- Accountability.
The Data (Use and Access) Act 2025 clarified parts of the purpose limitation principle — specifically around when re-use of personal data is compatible with the original purpose — but the seven principles themselves are unchanged.
1. Lawfulness, fairness and transparency
Article 5(1)(a) requires personal data to be "processed lawfully, fairly, and in a transparent manner in relation to the data subject". The three elements work together.
Lawfulness means you need a lawful basis under Article 6 for every processing activity. There are now seven: consent, contract, legal obligation, vital interests, public task, legitimate interests, and (since the DUAA) recognised legitimate interests. For special category data, you need an additional condition under Article 9. For criminal offence data, you need a condition from Schedule 1 of the Data Protection Act 2018.
Identifying the basis isn't a paperwork exercise. The lawful basis you rely on shapes which rights the individual has (the right to data portability, for example, applies only to consent and contract bases), and changes mid-processing are not allowed.
Fairness is harder to define crisply but covers two things: people would not be surprised by what you're doing with their data, and the processing does not have unjustified adverse effects on them. A use that meets the letter of a lawful basis but takes advantage of people — say, opaque profiling that disadvantages a vulnerable group — is unlawful as well as unfair.
Transparency means people understand what is being done with their data. The mechanism is the privacy notice required by Articles 13 and 14: it must identify you, your purposes, the lawful basis, who you share data with, how long you keep it, and the rights people have. The privacy notice must be in clear and plain language, and accessible. Hidden, deliberately complex, or buried notices fail this test.
A practical implication: every lawful basis you rely on must appear in the privacy notice, with enough specificity that someone could challenge whether it's correct. Vague "we may use your data" language doesn't meet the standard.
For a fuller treatment of lawful basis, see our lawful basis and consent guide. For privacy notice requirements, see our privacy notices guide.
2. Purpose limitation
Article 5(1)(b) requires personal data to be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes".
The principle has two parts: you must define your purposes at the point of collection, and you must not later use the data for incompatible purposes.
Specified means the purpose has to be identified clearly at the time of collection. "We collect your email to send you order confirmations" is specific. "We may use your data for various purposes" is not.
Explicit means the purpose has to be communicated openly — typically in the privacy notice. A purpose hidden in a terms-and-conditions document, or only inferable from context, doesn't qualify.
Legitimate means the purpose has a proper basis — broadly, that it is lawful and ethical.
The "no further processing for incompatible purposes" rule is more nuanced. The Data (Use and Access) Act 2025 clarified the compatibility test, and the ICO updated its purpose limitation guidance in March 2026 to reflect the changes. Compatible re-use is allowed; incompatible re-use is not.
To assess compatibility, the regulation says to consider:
- Any link between the original purpose and the new purpose.
- The context in which the data was collected and what the individual would reasonably expect.
- The nature of the data — particularly whether special category data is involved.
- The possible consequences of the new processing for the individual.
- Whether appropriate safeguards (encryption, pseudonymisation) are in place.
A common example: collecting customer email addresses for order confirmations and later using them for direct marketing is generally treated as incompatible re-use unless the customer consents or the soft opt-in under PECR applies. The activities look adjacent, but the customer's reasonable expectation is different.
3. Data minimisation
Article 5(1)(c) requires personal data to be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed".
Data minimisation is the simplest principle to state and one of the most often breached. Organisations habitually collect more data than they need — extra fields on forms, extra retention "just in case", optional data made mandatory through poor form design.
The test is necessity. If a piece of data is not actually used for the stated purpose, you should not be collecting it. A pizza delivery order needs name and address; date of birth is not necessary unless alcohol is being delivered. A job application form needs qualifications and experience; marital status almost never is.
Data minimisation interacts with other principles. Collecting more than you need creates more exposure under the security principle (a bigger target if breached), more friction under storage limitation (more retention to manage), and more transparency obligations under Articles 13 and 14 (every data category should appear in the privacy notice).
The principle does not require you to under-collect. If you genuinely need a piece of data for the stated purpose — and can justify why — you can collect it. The test is necessity, not minimalism for its own sake.
4. Accuracy
Article 5(1)(d) requires personal data to be "accurate and, where necessary, kept up to date". Reasonable steps must be taken to ensure that inaccurate data is erased or rectified without delay.
The principle creates two duties: a duty to take reasonable steps to make sure data is accurate at the time of processing, and a duty to correct or delete it when you discover inaccuracies. The "without delay" qualifier is meaningful — discovering inaccurate data and choosing to leave it in place is an active breach.
Accuracy has a particular sharp edge in personnel files and customer service notes. Subjective observations ("seemed distressed", "may be difficult to work with") need careful handling — they can be highly damaging if inaccurate, and the right to rectification under Article 16 means individuals can ask for them to be corrected. Where the assessment is genuine professional judgement, the right is to add a counter-statement rather than to require deletion.
A practical implication: any record-keeping process that includes opinions about people should have a regular review point, and a clear path for the individual to challenge the content.
5. Storage limitation
Article 5(1)(e) requires personal data to be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed".
UK GDPR sets no fixed retention periods. The principle is purpose-led: keep the data while you need it for the stated purpose, then delete or anonymise it. Other laws (HMRC, employment, financial services) impose statutory minimums that override the default — but UK GDPR itself does not.
There is a narrow exception in Article 5(1)(e) for processing for archiving in the public interest, scientific or historical research, or statistical purposes. Indefinite retention is permitted for these purposes if the appropriate safeguards under Article 89 are in place.
The accountability requirement that goes with this principle is the retention schedule: a documented list of each data category, the retention period, and the justification. The retention schedule should be reviewed periodically and updated when processing changes.
For the full treatment, see our data retention guide.
6. Integrity and confidentiality (security)
Article 5(1)(f) requires personal data to be "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".
This is the security principle, sometimes called integrity and confidentiality. It is the basis for the more detailed Article 32 requirements on technical and organisational measures.
"Appropriate" is the operative word. The regulation does not prescribe specific security controls — encryption strength, password policies, network architecture — because the right level depends on the risk created by the processing. A small organisation processing routine customer data has different obligations from a hospital running a clinical research database. The risk-based approach means you have to assess your processing, document the controls you've put in place, and be able to justify why they're appropriate.
The ICO and the National Cyber Security Centre published joint GDPR Security Outcomes guidance. It is the practical reference for what "appropriate" looks like in different contexts.
The security principle is the one most commonly cited in ICO fines. Of the four largest UK GDPR fines issued in 2025 — Capita group £14 million, Advanced Computer Software £3.07 million, 23andMe £2.31 million, LastPass UK £1.23 million — every one was for a security failure following a cyber attack.
For the breach side of security, see our data breach guide.
7. Accountability
Article 5(2) sets out the accountability principle separately. It states that the controller is responsible for, and must be able to demonstrate compliance with, the other six principles.
The wording is what makes UK GDPR a documented compliance regime. It is not enough to be lawful, fair, transparent, purpose-limited, data-minimal, accurate, storage-limited, and secure. You must be able to show that you are. The burden of proof sits with the controller.
In practice, accountability means:
- A documented Record of Processing Activities (Article 30).
- A documented lawful basis assessment for each processing activity.
- Documented Legitimate Interests Assessments where you rely on legitimate interests.
- Documented Data Protection Impact Assessments for high-risk processing.
- A documented retention schedule.
- A documented information security policy with appropriate technical controls.
- Documented incident response procedures and breach records.
- Documented training records showing staff understand their obligations.
- A documented privacy notice and process for keeping it current.
These documents are not optional decorations. They are the evidence the ICO will ask for in any audit or investigation. An organisation that handles personal data well but has no documentation will struggle in an enforcement context. An organisation with strong documentation can demonstrate compliance even when something has gone wrong.
The accountability principle is also what gives the Data Protection Officer role its substance. Where a DPO is required under Article 37, the DPO's job is largely about making accountability work — building, maintaining, and assuring the documentation.
For the practical implementation, see our ROPA guide and our hub guide to UK GDPR.
The principles in a nutshell
| Principle | What it requires |
|---|---|
| 1. Lawfulness, fairness and transparency | Lawful basis for every activity; fair processing; clear privacy notices. |
| 2. Purpose limitation | Define purposes at collection; no incompatible re-use. |
| 3. Data minimisation | Collect only what is necessary for the stated purpose. |
| 4. Accuracy | Keep data accurate and up to date; correct or delete errors promptly. |
| 5. Storage limitation | Keep data only as long as needed for the purpose. |
| 6. Integrity and confidentiality | Appropriate security for the risk. |
| 7. Accountability | Be able to demonstrate compliance with the other six. |
Underneath each of these, the regulation has dozens of detailed Articles. The principles are the framework; the Articles fill in the operational detail.
Frequently asked questions
How many GDPR principles are there?
Seven. Six are listed in Article 5(1) — lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and security. The seventh, accountability, sits in Article 5(2) and applies on top of the others.
What is the accountability principle?
The requirement to demonstrate compliance with the other six principles. It turns UK GDPR into a documented regime — controllers must be able to show, in writing, that they meet their obligations.
What's the difference between data minimisation and storage limitation?
Data minimisation is about how much you collect — only what's necessary. Storage limitation is about how long you keep it — only as long as necessary. Both relate to "necessity", but at different points in the data lifecycle.
Did the DUAA change the GDPR principles?
The seven principles themselves are unchanged. The Data (Use and Access) Act 2025 did clarify the purpose limitation principle's compatibility test, and the ICO updated its guidance accordingly in March 2026. The principles' core wording remains as it was.
Can you breach GDPR by accident?
Yes. The accuracy principle, the security principle, and the storage limitation principle are all commonly breached through accident or oversight — an unencrypted laptop is stolen, retention periods are not enforced, an inaccurate record is left in place. Intent is not required for a breach to occur, and is not required for enforcement to follow.
