What Are the Eight Principles of the Data Protection Act?

The UK Data Protection Act was originally designed to protect personal data stored on computers and paper filing systems. Since then, technology has evolved substantially and so have many of the permissions surrounding it, however, the core principles stay the same – 8 principles of the data protection act still apply today and ensure that personal information is processed and stored lawfully.


Over 89,000 cases of data breach were reported from national authorities in the first year of GDPR. The Act is not designed to catch anyone out, simply provide a robust framework for you or your employee to understand their obligations towards customers and their personal details. 

Recently, the UK Department of Education failed its own government’s standards. It seems it’s back to school for the rest of 2020 for the DoE.

The European Union GDPR came into effect in 2018, through the 2018 Data Protection Act – a modification of the original 1998 act. It seems millions of businesses are still not GDPR compliant; some say they find it confusing.

Like most laws, regulations and other complex things, it’s far easier to break it all down into small, digestible chunks. No need to tie yourself up in virtual red tape trying to understand The Data Protection Act. Take these 8 principles one at a time and you’ll get the hang of the Act in no time.


Fair and Lawful Use, Transparency

The principle of this first clause is simple. You or your business may only collect, process, and hold personal information in a fair and transparent way. For this reason, you are required to ask for consent and explain why you need those details.

You can collect email addresses to send the invoice and dispatch confirmation. Under the new regulations though you cannot pre-check the marketing data or third-party business box. The customer must make the effort to check it themselves. Make it prominent and they will see it!

These 8 key data protection principles under GDPR can be upheld through the proper GDPR compliance training here.


Specific for Intended Purpose

You must also collect personal data for the specific use for which the data owner or owners grant permission. You may not transfer, sell, or duplicate it for other purposes.

Let’s say your customer bought a new battery for the mobility scooter. Information the customer enters is only usable for that website or service. You may not hawk that personal data to another bit of your company, like one that sells customer mobility scooter insurance.


Minimum Data Requirement

The 2nd of the 8 principles of the Data Protection Act is that you cannot ask for otherwise irrelevant details. Everything you do hold must be “adequate and relevant” according to legislation.

Don’t be like the German division of apparel company H&M, who received a dressing down in 2020. They recorded personal details about employee whereabouts following absence – not just sickness, but holidays too. They stored it without permission and now have to head back to the fitting room to rethink the policy.


Need for Accuracy

The Data Protection Act requires that you check in periodically to ensure whatever information you hold is still accurate. Customers change address, email address, phone number and other contact details. Contact regularly by email and/or post to ask them to check their details. It’s good policy to ask if they’re still happy to keep the records on file.

Nobody wants to keep getting marketing material for people who moved out five years ago as some of us here at the Skills Platform occasionally discuss. It isn’t just a waste of time, but money too. Likewise, the legal requirement covers your customers against unauthorised people viewing sensitive details



Data Retention Time Limit

The fifth of the 8 principles of the Data Protection Act states how long you can keep their details. Technically you could keep such details in perpetuity if the customer never withdraws their consent. However, it is good business practice to remove customer personal data after a dormant period and have a strong company policy.

GDPR does not state how long you may keep it before deletion. Most businesses send out emails or letters every year listing previously held information. They then invite the customer to update the data or even request deletion.


The right to be forgotten

Your customers have the right to know precisely what you know about them, and thus the right to stop you from using it. This applies even where consent was obtained lawfully and in good faith. 

User rights also include the right to request that you delete all information pertaining to them, or just specific details. This is the much-heralded “right to be forgotten”, processed through something called the Subject Access Request.


Ensuring Data Security

This GDPR principle stipulates your duty to protect personal details and engage in good data governance practices. No matter your business’ size, you need a system and a secure network to protect processed personal data. The system must be robust against attack; you must also ensure that the level of security is appropriate to the business. 

Businesses handling sensitive information like health records or credit cards require much higher standards than a mailing list for example. GDPR applies to health records too even though other regulations apply. One does not negate or supersede the other.



The last of the 8 principles of the Data Protection Act is ensuring you follow all these measures. Accountability in this case simply means demonstrating that the Data Controller is implementing their legal duties. This person must show that they have appropriate procedures in place for what might happen in a data breach, privacy policies, and keep records about how you process personal data.

Bigger businesses (those with over 250 employees processing over 5000 records per year) must appoint a dedicated Data Protection Officer.


In Conclusion: 8 Principles of the Data Protection Act 2018

Everything you do as a business regarding customer data should safeguard it. Not only is it a legal requirement, but your customers feel much happier knowing you will protect their data. The UK’s Data Protection Act has been well-received as a whole, with 62% of British stating they feel more confident in a poll conducted a year after its implementation.

The GDPR 8 key data protection principles have been carefully developed to help you understand your requirements and responsibilities. It enables data protection and security for individuals primarily but, perhaps more than anything, it is also a system to help you comply. Yet, so many companies still find themselves in a pickle. 

For this reason, in order to protect themselves as well as their staff, many employers opt to inculcate such principles in their team through robust GDPR compliance training.

This post was last modified on 13 March 2023


Recent Posts

A brief history of phlebotomy

We all experience blood being taken at some point in our lives, but what you might not know is how… Read More

9 February 2023

Pharmacists Train Up for Post-Lockdown Demand – Free CPD Courses

With restricted access to GP practices, people are turning to their local pharmacists. 56% of pharmacists have experienced increased hours.… Read More

25 January 2023

The Benefits of Employer Branding – Examples and Strategies

In this article, we will discuss employer branding examples, along with good strategies. Some companies try and entice a potential… Read More

15 November 2022