Privacy Principles of GDPR

Introduction to seven privacy principles of the GDPR

This post mainly focus on seven major privacy principles of the GDPR, article-5 outlines following major principles related to processing of personal data.

  1. Lawfulness, fairness and transparency

Lawfulness, fairness and transparency

Processing organizations must have legitimate grounds for collecting and using the personal data and in order to become “lawful” all kind of processing on personal data must be according to the common law which includes criminal and civil. For example if the processing of data involves committing a criminal offence, that is a clear case for unlawful processing, here some of the more cases that can be considered as unlawful.

  • A breach of confidence — Some data such as medical and banking data expect higher confidentiality during processing, a breach of such data also consider as unlawful.

Specially Article 6 defines six legitimate means and few other articles also further clarify about lawful processing, according to those, to be a lawful a data processing should use one of the following means.

  1. A consent from an individual — An individual has given a consent on personal data processing for one or more purposes.

Processing of personal data should be fair and should consider following points.

  • Organizations should be open and honest about their identity and should clearly introduce themselves to individuals during the data collection.

Each individual should be informed concise, transparent and intelligible manner about what kind of data directly collecting and what kind of data derived from further processing and list of data storing within the business with their intended purpose before collecting any data.

One of the widely used approach is provide a privacy notice such as “how we use your information”, it’s important to understand this notice should be written in simple language without expecting any law or technical jargon from readers. You can refer few good examples for privacy notices from Facebook, Google and Amazon. Following are the list of items you can include into the private notice.

  1. The identity and contact details of the organization.

Purpose limitation

Processing of personal data is permissible if and to the extent that it is compliant with the original purpose for which data was collected and as far as the organization can demonstrate the individual has consented to use own data for above purposes. It’s not sufficient to keep just the fact that the individual has consented but it’s required to track time and approach that the individual used to prove the consent.

It’s not possible to use personal data collected for a specific purpose for any other different purpose. In case the processing organization want to process existing data for a purpose other than the original purpose, then the organization is required to get further legal permission or consent from individuals. As an example phone-no or E-mail address you collected from online shopping application for the purpose of updating the order details can not be used for your marketing campaign on clearance sale unless you have get clear consent from customers to use his/her contact details for such marketing activity at the time of collecting those data.

However public interest, scientific or historical research purposes or statistical purposes are excluded from purpose limitations principle.

Data minimization

Data processing organizations should ensure that they collect and process personal data which are necessary for each specific purpose (in terms of the amount of personal data collected, the extent of the processing, the period of storage and accessibility). According to the GDPR, data must be

“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

It’s not allow to collect personal data which may require for your future business expansions, processing organizations should identify the minimum amount of personal data you need to properly fulfill your purpose. You should hold that much information, but no more.


Data processing organizations should ensure that the personal data collected are accurate. If the data are not accurate the organization should take all possible measures to rectify those data. If the rectification not a viable options then affected data should be anonymised or deleted without any delays.

Provide an easy to use tools for individuals to update their own profile data by themselves is one of the best options to support this principle, self-care-portals available with some IAM product is a good example for such tools. Also enabling different channels to update personal data also increase the chance of accuracy of the data, as an example a processing organization can enable to update personal data through self-care web portal, mobile application, sending an E-mail or calling an agent over the phone.

Storage limitations

Data processing organizations can only store personal data to the extend of the original purpose is valid, once original purpose become invalid personal data should be deleted from the storage or uniquely identifiable data need to be removed.

This principle also indicate that you should have some kind of a periodical job to clean your databases as per the compliance requirements. In case if you have to track historical record for auditing purposes etc. then you can keep those data by removing uniquely identifiable data this is know as Syndomination.

Integrity and confidentiality

Data processing organizations should make sure that only authorized people have access to the data, additionally strong passwords should be used. Further proper policies should be in place to review the security of the data in a regular basis and make security updates whenever required. This also implies measures from organizations to eliminate accidental loss, destruction or damage and inappropriate usage during personal data processing.


According to this principle data processing organizations should demonstrate that the organization is comply with the privacy principles and states explicitly that this is the organization’s responsibility. What measures will be appropriate in each case, will depend on the nature, scope, context and purposes of the relevant processing as well as the risks for rights and freedoms of individuals.

Processing organizations can use following steps to be in compliance with the accountability principle.

Implement appropriate technical and organizational measures that ensure and demonstrate that you comply with followings.

  • Establishing internal data protection policies and process.

Maintain relevant documentation on processing activities.

As per the GDPR regulations if your organization is exceeding 250 employees it’s required to keep records of processing activities. Also organization which process special categories of data or criminal convictions and offences also need to keep records of processing activities regardless of the organization size. These records should be accessible for relevant supervisory authorities. For each processing activity following data need to be recorded.

  1. Names and details of the organizations involved in data processing activity (Controllers and Processors )

Data protection officer (DPO).

Where appropriate, appoint a data protection officer (DPO), we will discuss about DPO in a separate post.

Data protection by design and data protection by default

Implement measures that meet the principles of data protection by design and data protection by default, this may include principles.

  • Data minimisation

Conditions for consent

Considerations for user consent is a broad topic and require a separate discusion, but following brief summary is given for the completeness of this post.

  1. When the data processing is based on consent, processing organization (Processor) should should able to demonstrate that the particular individual has given explicit consent to process own personal data for the specific purpose. Capturing and recording the time and method used to provide the consent is also required.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sagara Gunathunga

Director — Solutions Architecture WSO2 ANZ. Integration and Identity Architect. PMC Member @ The Apache Software Foundation