The 7 Pillars of GDPR Compliance

08 Jun The 7 Pillars of GDPR Compliance

If you have read our previous article, about if you need to comply with GDPR and have reached the conclusion GDPR is mandatory for you – these are 7 principles (we call them pillars of the GDPR) as outlined by the ICO.

The GDPR is formulated on 7 key principles, they are set out from the beginning and inform everything that follows in the legislation. They don’t give hard rules that can be dictated, but rather “embody the spirit” of the GDPR. These pillars, or principles are outlined by the independent commission and are not meant to act as legal guidance.


Lawfulness, fairness, and transparency:


Organizations must identify valid grounds for the collection and use of personal data. You must ensure that you don’t do anything with the data that is in the breach of any other law. The data must be dealt with in a way that is not unduly detrimental, unexpected or misleading.


You must be clear, open and honest from the start about what you will use the personal data for.


Purpose Limitation:


You must be clear from the start about what your purposes are for processing personal data. You need to record your purpose and outline that in your privacy policy. You can’t use the personal data for anything outside of what is compatible with your original purpose. These need to regularly reviewed, updated and presented to the user.


Data Minimization:


Businesses should identify the minimum amount of data required to carry out their needs, and this is the maximum amount of data that the business should hold at any time. The data can only be collected for the specified purposes, and this purpose must be periodically reviewed, any data that is held that doesn’t meet this protocol should be removed.




It is the business’s obligation to ensure that all reasonable steps are taken to ensure that any information gathered is not misleading or incorrect. If you discover that personal data is incorrect or misleading you must take reasonable steps to correct and erase it as soon as possible.


Storage Limitation:


You must keep the data of individuals for as short a time as is possible. As a business you will need to justify how long you store personal data, once again you should also periodically review and anonymize data when you no longer need it.


Integrity and confidentiality (security):


Your business must ensure that all appropriate measures have been put in place, and they are all secure enough to protect the personal data you hold. Doing this effectively will require your business to consider things like risk analysis, organizational policies and physical and technical measures.


Accountability Principle:


The accountability principle decrees that you are required to take full responsibility for what you do with personal data and how you comply with the law. You must have taken appropriate measures and records in place to demonstrate your compliance.