Skip to main content
. 2023 Oct 17;9(10):e20648. doi: 10.1016/j.heliyon.2023.e20648

Table 3.

Principles of GDPR.

Principles of GDPR2 Description
1. Lawfulness, fairness, and transparency It is essential to clearly identify the valid grounds for processing personal information in order to ensure compliance with the law. The Common Information Security Control identifies six justifications for processing personal data, at least one of which must be present in order to meet the necessary requirements: consent, contract, legal obligation, vital interests, public task, and legitimate interests.



2. Purpose limitations By following this concept, companies can ensure that data subjects know the reasons for gathering their own data and have sensible assumptions regarding how the company expects to manage it. Further, it provides data subjects some control over how their personal information is used in the future and allows them to decide whether they are willing to provide it.



3. Data minimization The GDPR requires companies only to collect and retain the minimum amount of data necessary to fulfill their specific purpose. The regulation stresses the importance of collecting data that is relevant, necessary, and required. It also prohibits the practice of collecting data without a clear purpose, only in case it may be useful in the future. However, it does allow for the collection of data in anticipation of a known future need.



4. Accuracy The GDPR requires companies only to collect and retain the minimum amount of data necessary to fulfill their specific purpose. The regulation stresses the importance of collecting data that is relevant, necessary, and required. It also prohibits the practice of collecting data without a clear purpose, only in case it may be useful in the future. However, it does allow for the collection of data in anticipation of a known future need.



5. Storage limitation The GDPR stipulates that personal data should only be kept for as long as is necessary for the purpose for which it was collected. The regulation does not provide specific timeframes for data retention, and it is up to the companies to justify the length of time that they retain data. The longer the retention period, the greater the likelihood that the data will become inaccurate or outdated.



6. Integrity and confidentiality This need extends beyond Internet security and also incorporates official and physical security. According to GDPR, only those with the appropriate authorization are allowed to access and manage personal data. Besides, if personal data is unexpectedly lost, changed, or crushed at any point, there is a way to recover it, removing the potential for any issues for data subjects.



7. Accountability This part of GDPR requires those handling individual data to get a sense of ownership through their interactions with that data and their adherence to various criteria. The two measures and records should be set up to show consistency to accomplish this prerequisite. Additionally, it means that in the event of a problem, such as a data breach, it will usually be demonstrated that safeguards and measures were put in place to minimize the likelihood of such an occurrence. This could imply that there is a release from any legal authorization activity.