Principles of UK GDPR

Under UK GDPR, companies that control or process personal data must follow these principles:

  • data processing must be lawful, fair and transparent
  • data should only be collected for specific, explicit and legitimate purposes
  • data collection should be limited to what is needed for the purpose for which it is processed
  • data should be accurate. Every reasonable step should be taken to ensure data remains accurate
  • data should not be kept for any longer than is needed for the purpose for which it is processed
  • data should be processed securely and protected against unlawful processing
  • the data controller must:
    • take responsibility for what the company does with personal data
    • be able to evidence the company has followed these principles