All businesses must comply with GDPR (General Data Protection Regulation), but what does this mean? GDPR is a legal framework of guidelines for collecting and processing personal information from individuals who live in the European Union (EU). Since Brexit, UK companies must follow the rules set by UK GDPR, which has seven principles just like the EU GDPR

These principles are as follows:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability
  1. Lawfulness, fairness and transparency

This principle means that companies must conduct data processing in a legal, fair and transparent way. Let’s break each component down:


All processes you have that relate to EU citizens’ personal data must meet GDPR requirements, including data collection, storing and processing. The legislation has directions and norms for every step of your data management.


Companies must process personal data responsibly without misusing the information or creating negative effects for an individual. Collecting, storing and processing data in a misleading or deceiving way means you’re not meeting the fairness requirements.


The transparency principle requires companies to keep individuals informed about how their personal data is managed. You should always let clients or customers know exactly what you’re doing with their data, including who has access to it.

  1. Purpose limitation

You must inform your clients or customers about why you’re collecting their personal data. Data can only be collected if the individual has given their full consent, meaning they’re fine with sharing the information with you. You must be clear about how you intend to use the data and only use it for that purpose. If you need a customer’s information for another process that doesn’t relate to the original purpose, you must get their approval first. 

To determine if the new process needs the customer’s approval, you can ask yourself:

  • Is your new purpose very different from the original one?
  • Could additional processing have a negative impact on the individual?
  • Is a new purpose completely separated from the original one?
  • Is the new purpose unexpected?

Answering ‘yes’ to any of these means you need to ask again for consent.

  1. Data minimisation

This principle is designed to ensure that personal data is only collected, stored, used and processed if necessary to provide the required service or fulfil a purpose. Before collecting a customer’s data, you need to identify the minimal amount of data you need for a specific purpose. You also need to identify why you need the information.

In simple terms, only collect the minimum amount of data you need. For example, if you have a newsletter that clients can subscribe to, collecting any information beyond a name and email address is probably unnecessary.

  1. Accuracy

The accuracy principle means you’re responsible for ensuring that the personal data you hold is accurate. It’s supposed to encourage you to only keep relevant data, updating and maintaining data you hold on a regular basis.

To make sure you comply with the accuracy principle, you need to do regular accuracy checks and implement procedures that help you update personal data if necessary. You’d be best to start by identifying how often you need to update data to fulfil the purpose you want to achieve. 

The good news is that this principle can actually help you get rid of any incorrect or unnecessary data clogging up your system. As a result, you’ll get a clearer picture of how relevant the data you’re processing is to your purpose for collecting it.

  1. Storage limitation

This principle is there to make sure you only keep personal data for as long as you need it. You’ll have to be able to justify why you’re keeping the data for a certain amount of time. It’s good practice to set up schedules for when to delete personal information from your database. 

Just remember that you need to justify why you’ve chosen the retention period (time frame for how long you’re keeping the data) and why it’s necessary for your purpose. So have a think about this and don’t forget to document it.

  1. Integrity and confidentiality

The integrity and confidentiality principle is often referred to as a security principle since it protects a person’s data from being shared with people that shouldn’t have access to it. As a business, you’re required to implement protective technical and organisational structures. You do this to prevent risks, unauthorised third-party access, or exploitation of data.

In other words, it’s your job to make sure that your customers’ personal information is safe at all times. 

  1. Accountability

The accountability principle means the data controller is responsible for complying with all GDPR principles. Most importantly, you’re responsible for demonstrating compliance (proving that you followed the regulations) if you need to. 

Be sure to document every step of your compliance journey, providing evidence of the steps you have taken so far to operate within the regulatory framework. This evidence could include:

  • Documentation of processing activities
  • Implementation of technical and organisational measures
  • Implementation of data protection policies
  • Data protection impact assessments (if you had to conduct one)
  • Appointment of a DPO (data protection officer)

Tip: To minimise errors and keep everything as organised as possible, it’s a good idea to document this evidence digitally. Using a paper-based system is not only outdated but inefficient and prone to mistakes or lost documents. 

Do you want to learn more about how data protection affects you? Then read our guide called: how does the data protection act affect small businesses?

Stay compliant and organised with Countingup

Countingup can help you manage your business’ finances, giving you more time to focus on following and documenting the seven principles of GDPR.

Countingup is the business current account and accounting software in one app. With instant invoicing and automated bookkeeping features, it can save you hours of time-consuming admin and help you keep on top of your finances. 
Find out more here to save yourself unnecessary accounting and financial admin stress so that you can focus on staying compliant and running a successful business.