TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. What Are the Data Protection Act Principles? Full Guide
Legal Compliance

What Are the Data Protection Act Principles? Full Guide

Learn what the data protection act principles are, how they apply to your business, and what compliance looks like under UK law.

TermsBox Team|April 3, 202615 min read

Understanding what the data protection act principles are is essential for any organisation handling personal data in the United Kingdom. The data protection act principles form the foundation of UK privacy law, and every business that collects, stores, or uses personal information must comply with them.

This guide breaks down each principle, explains what compliance looks like in practice, and covers the consequences of getting it wrong. This content is educational and does not constitute legal advice. Consult a qualified solicitor for guidance specific to your organisation.

What Are the Data Protection Act Principles?

The data protection act principles are a set of seven rules that govern how organisations must handle personal data. They are set out in Article 5 of the UK GDPR, which is incorporated into UK law through the Data Protection Act 2018 (DPA 2018). These principles replaced the eight principles of the earlier Data Protection Act 1998.

The seven principles require that personal data must be:

  1. Processed lawfully, fairly, and transparently (lawfulness, fairness, and transparency)
  2. Collected for specified, explicit, and legitimate purposes (purpose limitation)
  3. Adequate, relevant, and limited to what is necessary (data minimisation)
  4. Accurate and, where necessary, kept up to date (accuracy)
  5. Kept for no longer than is necessary (storage limitation)
  6. Processed securely using appropriate technical and organisational measures (integrity and confidentiality)
  7. Demonstrated to be compliant by the data controller (accountability)

These principles are not optional guidelines. They are legally binding obligations enforced by the Information Commissioner's Office (ICO), and failing to follow them can result in fines of up to 17.5 million GBP or 4% of global annual turnover.

Principle 1: Lawfulness, Fairness, and Transparency

The first of the data protection act principles requires that every instance of personal data processing has a valid legal basis, treats individuals fairly, and is transparent about what happens to their data.

Legal basis

Article 6 of the UK GDPR lists six lawful bases for processing personal data:

  • Consent: The individual has given clear, informed, and freely given consent for a specific purpose.
  • Contract: Processing is necessary for the performance of a contract with the individual, or to take steps at their request before entering a contract.
  • Legal obligation: Processing is necessary to comply with a legal obligation (other than a contractual one).
  • Vital interests: Processing is necessary to protect someone's life.
  • Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
  • Legitimate interests: Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the individual's rights and freedoms.

You must identify and document your lawful basis before you start processing. Changing your legal basis after the fact is not permitted unless you can demonstrate the new basis was appropriate from the start.

Fairness and transparency

Fairness means you must not process data in ways that are detrimental, unexpected, or misleading to the individuals concerned. Transparency requires you to tell people what you are doing with their data through a clear, accessible privacy policy. This includes identifying who you are, what data you collect, why you collect it, who you share it with, and how long you keep it.

Principle 2: Purpose Limitation

The purpose limitation principle states that personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes. This principle is found in Article 5(1)(b) of the UK GDPR.

In practice, this means:

  • You must clearly state your purposes for collecting data at the point of collection.
  • You cannot repurpose data for objectives that are incompatible with the original purpose without obtaining fresh consent or identifying a new lawful basis.
  • Each new purpose must be documented and communicated to the individual.
  • Archiving in the public interest, scientific research, historical research, and statistical purposes are generally considered compatible with original purposes under Article 89(1).

For example, if you collect email addresses for order confirmations, you cannot later use those addresses for marketing without a separate lawful basis. Sending promotional emails based on a "contract performance" legal basis that was chosen for transactional communications would violate purpose limitation.

Principle 3: Data Minimisation

Data minimisation requires that personal data be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Article 5(1)(c) of the UK GDPR codifies this principle.

This principle directly challenges the practice of collecting data "just in case." Organisations must evaluate whether every piece of personal data they collect is genuinely needed. Questions to ask include:

  • Do you need all the fields on your registration form, or could you achieve your purpose with fewer?
  • Are you collecting sensitive data categories (health, ethnicity, political opinions) when non-sensitive data would suffice?
  • Could you use pseudonymised or anonymised data instead of directly identifiable information?

The ICO has taken enforcement action against organisations that collected excessive data. A privacy-by-design approach, where data collection is considered at the system design stage rather than added retroactively, is the most effective way to comply.

Principle 4: Accuracy

Under Article 5(1)(d) of the UK GDPR, personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.

Accuracy obligations include:

  • Verification at collection: Implementing validation checks on forms to catch obvious errors in email addresses, phone numbers, and postal codes.
  • Ongoing maintenance: Establishing procedures to review and update records at appropriate intervals, particularly for data that changes over time such as addresses and job titles.
  • Correction mechanisms: Providing individuals with a straightforward way to request corrections to their personal data, as required by the right to rectification under Article 16.
  • Source documentation: Recording where data came from so you can verify its accuracy if challenged.

Accuracy does not require perfection. The standard is that you take "reasonable steps" given the nature of the data and your purposes for processing it. Medical records demand a higher standard of accuracy than a marketing mailing list.

Principle 5: Storage Limitation

The storage limitation principle under Article 5(1)(e) states that personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed. In plain terms, you cannot keep personal data indefinitely.

Compliance requires a data retention policy that specifies:

  • How long each category of personal data is kept
  • The justification for each retention period
  • The process for securely deleting or anonymising data when the retention period expires
  • Any legal requirements that mandate minimum retention periods (such as tax records, which must be kept for six years under HMRC rules)

The ICO has published guidance emphasising that retention periods should be based on genuine need, not administrative convenience. "We might need it someday" is not a valid justification for retaining personal data.

Automated deletion processes are strongly recommended. Manual deletion relies on human memory and is prone to oversight. TermsBox's privacy policy generator can help you document your retention periods clearly for your users.

Principle 6: Integrity and Confidentiality (Security)

Article 5(1)(f) of the UK GDPR requires that personal data be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures.

This principle does not prescribe specific security technologies. Instead, Article 32 requires you to implement measures "appropriate to the risk," taking into account:

  • The state of the art in security technology
  • The cost of implementation
  • The nature, scope, context, and purposes of processing
  • The risks to individuals

Technical measures

  • Encryption of personal data at rest and in transit
  • Access controls restricting data access to authorised personnel only
  • Pseudonymisation where feasible to reduce risk
  • Regular testing and evaluation of security measures
  • Backup systems with tested recovery procedures

Organisational measures

  • Staff training on data protection and security awareness
  • Clear policies on acceptable use, password management, and incident reporting
  • Data Protection Impact Assessments (DPIAs) for high-risk processing under Article 35
  • Documented incident response procedures for personal data breaches
  • Contracts with data processors that include Article 28 requirements

The ICO has issued significant fines for security failures. British Airways received a 20 million GBP fine (reduced from an initial 183 million GBP notice) for inadequate security measures that led to a data breach affecting approximately 400,000 customers.

Principle 7: Accountability

The accountability principle, set out in Article 5(2) of the UK GDPR, requires that the data controller be responsible for and be able to demonstrate compliance with all the other principles. This was the most significant addition when the UK GDPR replaced the DPA 1998, which had no equivalent requirement.

Accountability means compliance is not enough on its own. You must be able to prove it. The ICO expects organisations to maintain:

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now
  • Records of processing activities (ROPA): Required under Article 30 for most organisations, documenting what data you process, why, the legal basis, retention periods, and any transfers.
  • Data protection policies: Internal policies that explain how each principle is applied in practice.
  • Data Protection Impact Assessments: Required under Article 35 for processing that is likely to result in a high risk to individuals.
  • Data Protection Officer (DPO): Required under Article 37 for public authorities and organisations whose core activities involve large-scale systematic monitoring or processing of special category data.
  • Training records: Evidence that staff understand their data protection responsibilities.
  • Breach response logs: Documentation of any personal data breaches, including those that did not meet the threshold for ICO notification.

The accountability principle has fundamentally changed how organisations approach data protection. Rather than waiting for the ICO to investigate, organisations must proactively build compliance into their operations.

What Are the Principles of the Data Protection Act in Practice?

Understanding what the principles of the data protection act mean on paper is one thing. Applying them in daily operations is another. Here is what practical compliance looks like for a typical business.

Website data collection

Your website likely collects personal data through contact forms, newsletter signups, account registration, and analytics tools. Each of these touchpoints must comply with all seven principles:

  • Lawfulness: Identify and document a lawful basis for each form. Newsletter signups require consent. Account creation may rely on contract.
  • Transparency: Display a clear privacy policy that explains what data is collected and why. Link to it from every form.
  • Data minimisation: Only ask for information you genuinely need. A newsletter signup should require an email address, not a full postal address.
  • Security: Use HTTPS, validate and sanitise form inputs, store passwords using strong hashing algorithms, and restrict database access.

Using a compliance tool like TermsBox can help you generate a privacy policy that accurately reflects your data practices and keep it aligned with what your website actually does through automated scanning.

Employee data

HR departments process significant volumes of personal data, including some of the most sensitive categories. Payroll records, health information, performance reviews, and recruitment data all fall under the data protection act principles. Key considerations include storing recruitment data only for as long as necessary (typically six months for unsuccessful applicants, unless longer is justified), maintaining strict access controls so only authorised HR staff can view sensitive records, and conducting DPIAs for any employee monitoring systems.

Third-party sharing

When you share personal data with third parties, whether suppliers, marketing platforms, or cloud service providers, you remain responsible for compliance with the principles. Article 28 requires written contracts with processors that specify the subject matter and duration of processing, the nature and purpose of processing, the types of personal data involved, and the controller's obligations and rights.

How the ICO Enforces the Data Protection Act Principles

The Information Commissioner's Office is the UK's independent supervisory authority for data protection. The ICO has a range of enforcement powers under the DPA 2018 and UK GDPR.

Enforcement tools

  • Information notices: Requiring organisations to provide specific information about their processing activities.
  • Assessment notices: Allowing the ICO to carry out compulsory audits of an organisation's data processing.
  • Enforcement notices: Ordering organisations to take specific steps to comply, or to stop processing in a particular way.
  • Penalty notices: Imposing administrative fines for breaches of the principles or other UK GDPR requirements.

Fine structure

The UK GDPR establishes two tiers of administrative fines:

  • Standard maximum: Up to 8.7 million GBP or 2% of global annual turnover (whichever is higher) for violations of obligations relating to data processors, certification bodies, and monitoring bodies.
  • Higher maximum: Up to 17.5 million GBP or 4% of global annual turnover (whichever is higher) for violations of the data protection principles, conditions for consent, data subject rights, and international transfer provisions.

The ICO considers multiple factors when setting fine amounts, including the nature, gravity, and duration of the infringement; whether the breach was intentional or negligent; actions taken to mitigate damage; the degree of responsibility; any previous infringements; and the categories of personal data affected.

Notable enforcement actions

The ICO has issued substantial fines for principle violations:

  • Clearview AI (2022): 7.5 million GBP for collecting facial images from UK internet users without a lawful basis, violating the lawfulness and transparency principles.
  • British Airways (2020): 20 million GBP for inadequate security measures, violating the integrity and confidentiality principle.
  • Marriott International (2020): 18.4 million GBP for failing to implement appropriate security measures following a data breach that exposed 339 million guest records globally.

Steps to Comply with the Data Protection Act Principles

Compliance with the data protection act principles is an ongoing process, not a one-time project. These steps provide a framework for building and maintaining compliance.

  1. Audit your data processing: Map every instance where your organisation collects, stores, shares, or deletes personal data. Document the lawful basis, purpose, data categories, retention period, and security measures for each.

  2. Create your Records of Processing Activities: Use the audit results to build your ROPA as required by Article 30. This document serves as the backbone of your accountability obligations.

  3. Review your privacy notices: Ensure your privacy policy accurately describes your current processing activities, is written in plain language, and is easily accessible to data subjects.

  4. Implement technical security measures: Encrypt data in transit and at rest, enforce access controls, patch software regularly, and test your backup and recovery procedures.

  5. Train your staff: Everyone who handles personal data must understand the principles and their practical responsibilities. Maintain training records as evidence of accountability.

  6. Establish a breach response plan: Document how you will detect, contain, assess, and report personal data breaches within the 72-hour notification window required by Article 33.

  7. Review regularly: Schedule annual reviews of your data processing activities, retention schedules, security measures, and privacy notices. Data protection compliance is not static.

Frequently Asked Questions

What are the seven principles of the Data Protection Act 2018?

The seven principles are lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality (security); and accountability. These principles are set out in Article 5 of the UK GDPR and Section 34 of the Data Protection Act 2018, and they apply to every organisation that processes personal data.

How do the Data Protection Act principles differ from the original 1998 principles?

The 1998 Act had eight principles, while the current framework under the DPA 2018 and UK GDPR has seven. The most significant addition is the accountability principle, which requires organisations to actively demonstrate compliance rather than simply following the rules. The current principles also carry substantially higher penalties, with maximum fines rising from 500,000 GBP under the old Act to 17.5 million GBP or 4% of global annual turnover under the UK GDPR.

What happens if you breach the data protection act principles?

Breaching the data protection act principles can result in enforcement action by the Information Commissioner's Office (ICO). Penalties include enforcement notices requiring specific corrective actions, assessment notices, reprimands, and administrative fines of up to 17.5 million GBP or 4% of global annual turnover under Article 83 of the UK GDPR. Individuals also have the right to claim compensation for material or non-material damage under Article 82.

Do the data protection act principles apply to small businesses?

Yes. The principles of the data protection act apply to every organisation that processes personal data, regardless of size. There are no exemptions for small businesses. However, the ICO recognises that compliance measures should be proportionate to the risk and scale of processing. A sole trader collecting customer email addresses for order confirmations faces lighter obligations than a company processing health data at scale, but both must comply with all seven principles.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Are the Data Protection Act Principles?
  • Principle 1: Lawfulness, Fairness, and Transparency
  • Legal basis
  • Fairness and transparency
  • Principle 2: Purpose Limitation
  • Principle 3: Data Minimisation
  • Principle 4: Accuracy
  • Principle 5: Storage Limitation
  • Principle 6: Integrity and Confidentiality (Security)
  • Technical measures
  • Organisational measures
  • Principle 7: Accountability
  • What Are the Principles of the Data Protection Act in Practice?
  • Website data collection
  • Employee data
  • Third-party sharing
  • How the ICO Enforces the Data Protection Act Principles
  • Enforcement tools
  • Fine structure
  • Notable enforcement actions
  • Steps to Comply with the Data Protection Act Principles
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.