What are the 8 principles of Data Protection and are you following them?

8 principles data protection

The General Data Protection Regulation (GDPR) is fast approaching and knocking on the door yet we are talking about the Data Protection Act (1998) and the 8 principles of data protection? Well there’s a good reason for that.

Are the 8 Principles of Data Protection Still Useful?

The primary focus is now firmly latched onto organisational GDPR readiness and the consequences it brings for violating the guidelines. Whilst this remains the fundamental point of concern, high profile infringements of the Data Protection Act are still surprisingly prevalent.

An investigation into the hacking of over 3 million Carphone Warehouse customers and 1,000 employees personal data, found the company was guilty of 11 data security issues. Each of these significant enough individually to breach the Data Protection Act (DPA). Subsequently, they were fined £400,000 but more importantly, it remains the question of whether your organisations data policies are fully compliant within the current data protection laws and not just the incoming GDPR.

There is a long journey ahead to become fully GDPR compliant, this is a certainty. Though, as a starting point you should be (hopefully) complying with the Data Protection Act 1998, and be able to confidently answer this. Ensuring you are following the 8 principles is a big step towards building a foundation of GDPR compliance.

Data Protection Act Principles

To help firm up your organisations data protection policies to a satisfactory level, 8 principles of data protection were created. The essential aim of these principles are to plainly outline the necessary steps required to remain within the data law. So, what are the 8 principles of data protection? we have compiled them below with a description for each:


Personal data shall be processed fairly and lawfully

Process your data in fairly and transparently which is consistently reviewed to ensure these standards remain in check. Transparency should stretch to clearly informing the corresponding individual of your correct business information, how the data subjects information shall be used and that they are able to access that information upon request.


Personal data must be obtained and processed for specified lawful purposes

The data obtained and processed should only be used in relation to the initial specified purpose clearly outlined. Never collect any information in which you do not require nor use that information for a purpose beyond the stated intention.


Personal data shall be adequate, relevant and not excessive

Do not collect data which is not immediately required. A great rule of thumb to remain compliant is to acquire the bare minimum of information you will need for the specified use.


Personal data must be accurate and kept up to date accordingly

Ensure the data you hold is accurate and you have taken the necessary and logical steps to guarentee the data is accurate to best of your knowledge. Any data which does not fall within this category should be erased or corrected immediately.


Personal data shall not be kept for any longer than is necessary

Stored data should not be kept any longer than necessary. If possible, the information should be easily accessible to the individual in the required time-frame set. Once this time-frame has passed, that information should be erased.


Personal data shall be processed in accordance with the rights of data subjects 

Full comprehension on the rights of the data subjects is a necessity. The data then can be processed in accordance to their rights respectively. The ethical responsibilities of the data controller must be distinct to fully comply with this principle.


Personal data must be kept safe and secure at all times

All sufficient steps must be taken in order to protect the data you store. Deterring any unauthorised and unethical access and processing, accidental loss, damage or destruction to the data is a foremost priority. It is your responsibility to ensure the integrity of the data handlers and the credibility of the technical systems in use align to an acceptable standard.


Personal data shall not be transferred outside the European Economic Area unless sufficient protection is ensured

The transfer of personal data should never pass the European Economic Area (EEA) unless the corresponding country has provided adequate levels of protection to the processing of personal information.


When GDPR comes into effect in May, these laws of data protection are going to significantly tighten so by understanding the basics and learning to walk before you can run, you’re giving yourself a platform to thrive from.

It’s worth noting that these data protection principles act only as an easy-to-understand guideline of adhering to the Data Protection Act. However, data protection laws go into far more granular detail pertaining to topics such as CCTV and is worth checking out the Information Commissioners Office (ICO) guide for more information on those matters.

To run through all the changes GDPR commands would be excessive and outside the scope of this article. To portray the extent of change required to comply with GDPR, a table below highlights some key differences between the two.

Data Protection Act (DPA)

The data Protection Act concerns those only within the UK.

General Data Protection Regulation (GDPR)

GDPR covers a greater spectrum of organisations as it applies to all within Europe and those externally who have data processes within. The UK shall still comply with the proposed GDPR guidelines once Brexit has finalised.

Data Protection Act (DPA)

Breaches of the data protection principles or act are liable to be fined up to £500,000.

General Data Protection Regulation (GDPR)

Those who breach GDPR guidelines are liable to be fined a maximum of 4% global turnover or €20m – whichever is greater.

Data Protection Act (DPA)

No requirement for parental consent for processing personal data for a minor.

General Data Protection Regulation (GDPR)

Requires consent from the parental responsibility holder of a child under the age of 16 (This may differ upon country but shall never transcend under 13 years old).

Data Protection Act (DPA)

Data Protection Impact Assessment (DPIA) is recommended but it not required by law.

General Data Protection Regulation (GDPR)

A DPIA is a necessary measure , particularly when data processing encounters a level of risk. Failure to adhere to this may incur a fine of 2% global revenue or €10m – whichever is greater.

Data Protection Act (DPA)

Notifying the Information Commissioners Office (ICO) of a breach is not a requirement.

General Data Protection Regulation (GDPR)

Data breaches which risks the rights of a natural person are required to be reported to the Information Commissioners Office (ICO) within 72 hours of awareness.

Data Protection Principles Explained – What Now?

The advantage of following the data protection principles not only keeps you within the law but also gives you a good foundation to tackle GDPR. After all, GDPR is the big brother and next level in data protection. Maybe you’re sat there thinking that you don’t need to re-assess your DPA compliance as you’ve never had a known infringement, but in reality you could be setting yourself up for a damaging and yet, naive fall.

As stringent as GDPR is on data security, it also amplifies the number of hackers through the added incentive of ransomware. In 2017 ransomware attacks spiked and is expected to do so in 2018 with the Internet of things (IOT) devices becoming a more prevalent target. To explain in greater detail, the stricter the economic and social implications are, the more likely a hacker is to target a business for ‘hush hush’ money.

So, with the increasing incentivization of ransomware, the more we will likely witness it happening. This emphasizes the question of whether we will see more unknown security flaws exposed in 2018, some we will probably never even know about.

Maybe you have security flaws and they haven’t been exploited yet? maybe they’re perfect, but do you really want to leave it to chance? Understand the basics, follow the 8 principles of data protection, review your systems, processes, permissions and then build bit-by-bit towards your GDPR compliance journey.

Please share this with the world