What are the Principles of the Data Protection Act

Coby McKinley Profile image

Written by:

Updated January 5, 2023

Internet users concerned with consumer privacy should understand what are the principles of the Data Protection Act. Understanding the data protection rights of individuals can protect you from unlawful processing and confidentiality breaches. Luckily, the seven fundamental principles are easy to explain in plain English. So, stick around to learn how many data protection principles there are.


  • The 2018 General Data Protection Regulation (GDPR) Act provides guidelines for the collection and protection of consumer data.
  • There are seven principles of the GDPR, and they rely on accountability and transparency.
  • Companies can only collect specific data for predetermined and plainly disclosed purposes.

For more information on consumer privacy, check out how to register for the DPA, what the DPA covers, what computer cookies are, what net neutrality means, and what the pros of net neutrality are.

Insider Tip

You can contact a company’s data controller to erase your information or receive detailed documentation of your data.

The 7 Principles of the GDPR

The UK General Data Protection Regulation (GDPR) Act outlines the rights, key principles, and requirements for personal data processing in the UK. This data protection law works along similar guidelines compared to the protection policies of the EU’s GDPR. The seven principles of the GDPR outline how a company collects user data for legitimate purposes.

Lawfulness, Fairness, and Transparency

A company must have a legitimate and useful reason for collecting user data. The GDPR defines this as lawfulness. Additionally, companies must be fair about how they collect the data, so individuals must know what or why they’re gathering personal data. Lastly, companies must be transparent about what information they have and why they have it.

Purpose Limitation

Companies must have a specific and legitimate reason for collecting user data. Additionally, a business must ask for user consent each time they go beyond the initial purpose of the collected data.

Data Minimization

A company should only collect necessary data for a specific task. For example, if you subscribe to a text service, a company should only collect your phone number, not your home address or email.


The data a company collects must be accurate and delete incomplete or inaccurate information. Companies must schedule regular audits to double-check their information.

Storage Limitation

The GDPR makes companies specify the amount of time they store each piece of data in their database. Companies must set a storage limitation policy and anonymize information that falls outside of that timeframe.

Integrity and Confidentiality (Security)

Companies must keep collected data safe from unauthorized access, theft, and confidentiality leaks. The collected data must remain protected from destruction, loss, or damage.


American companies that operate in the UK or EU must get explicit consent for compliant data collection purposes.


Companies must provide evidence of consent and a legal basis for processing data. The accountability principle ensures that companies have a paper trail for regulators and supervising authorities.

STAT: A 2019 Pew Research Center poll showed that 62% of Americans did not think it was possible to go through daily life without personal data processing activity from corporations or the government. (source)

What are the Principles of the Data Protection Act FAQs

Are the UK and EU GDPR different?

There are very few differences between the EU GDPR and the UK’s GDPR 2018 rendition. The UK GDPR still supplies legal protections for customer privacy and outlines a data protection regime to oversee compliance efforts. Additionally, the compensation for damages and bad compliance practices are nearly identical.

What is the penalty for GDPR breaches?

Non-compliant processing is subject to harsh fines and a damaged reputation. A failure to meet compliance requirements comes with a standard fine of about $11 dollars or 2% of global turnover for the previous financial year, whichever is higher. An especially damaging data breach carries a maximum fine of $21 million or 4% of the annual turnover, whichever is higher.

What does a Protection Officer do?

Business owners that engage in personal data processing activities must hire a Data Protection Officer (DPO) to oversee the compliance program. Additionally, DPOs are responsible for data organization measures and are the contact for employee data protection training. Lastly, they are the formal data protection lead for breach records and individual data subjects.
Coby McKinley Profile image