6 Principles of GDPR

How to prove compliance and protect personal data

The cost of not understanding or following the GDPR principles is too high to ignore. To be more specific, according to GDPR.EU, noncompliance with GDPR principles can lead to fines of up to 4% of a company’s global turnover. Although, it might be hard to decide where to start in the implementation process.

We have prepared the following article, which compliments a previous GDPR article, with information about the main principles of GDPR and their meaning for your business.

GoWombat will help you to consider what your company needs to start conforming to the GDPR successfully.

What is GDPR?

The General Data Protection Regulation (GDPR) is a part of EU law on data privacy protection. The GDPR is essential for companies with EU licences and business and non-profit organisations that collect and store users' personal data. It's important to clarify that GDPR protects the rights of all EU and UK citizens. The GDPR is widely used in the European Economic Area.

The GDPR is a long process; its details or duration depends on the country where the business is registered and its legislation.

What is the purpose of GDPR? 

In short, it is the protection of information that can be used to identify individuals on a personal level.

GDPR controls the organisations that collect this kind of information and use it for their own purposes.

Let's mention that the GDPR protects personal data mainly. Personal data means everything that could help identify an individual person. Meanwhile, anonymous or non-personal data are out of the GDPR jurisdiction. The reason behind this is an inability to identify any person with this type of information. GDPR compliance is needed for every data collection method performed by different tools.

There are three roles in GDPR processes: data subject, the data controller, and data processors.

Data subjects

It's the owner of personal data. In practice, it's the person or organisation whose privacy and data safety rights should be protected by GDPR.

Data processor

It's an organisation or individual responsible for processing personal data for the data controller.

Data controller

It's a party that collects personal data and uses it for its purposes.

What are the six principles of the GDPR?

According to Data Protection Act, the six principles of GDPR are Lawfulness, Purpose limitation, Data minimisation, Accuracy, Storage limitation, Integrity and confidentiality.

Lawfulness, fairness and transparency

According to the first GDPR principle, your company must treat users' data in compliance with the law. An important detail of this principle is fairness. It's not enough to collect data subject's information with a word of law. Rules and rights have to be clearly explained to data subjects. So, companies' privacy policies should transparently explain what kind of data they collect and why.

Privacy Policy, which is a part of the first rule of compliance, must give complete information about what types of data you collect, why you need the data, how you process the data and do you intend to share the data with a third party.

Remember, the country where the organisation is registered may have unique laws on collecting and using personal data.

Purpose limitation

The GDPR principles protect the subject's data from overuse. Therefore, you can only collect that type of data covering a particular purpose. Moreover, storing this data is limited and entirely connected to gathering information purpose.

Data minimisation

Organisations have the rights for collecting and processing of personal data they need to cover the collecting purposes. The advantage of this rule is limited access to sensitive data within the company and easy storing and updating processes.

Storage limitation

Once collected, users' personal data must be stored only for a certain amount of time. It's usually the most minimal term that a company needs to use for stored data. Afterwards, personal data has to be properly deleted. To follow this rule, data collectors can't sell emails or phone numbers to third parties or use them to automatically create accounts without the data subject's permission.


The party that collects and stores people's personal data is responsible for accuracy guarantees. It also means that the company should take reasonable and lawful steps to achieve data accuracy if needed. Data must be accurate enough to not lead to any misunderstandings.

Follow the next rules to stay compliant with the data accuracy principle:

  1. Be ready to ensure data accuracy.
  2. Set the processes for identifying the data that should be updated.
  3. Track all mistakes in stored personal data.
  4. Give user's possibility to use their right to change their data.
  5. Track and record data resources.

Demonstrating fairness and integrity are basic requirements when working with personal data.

Integrity and Confidentiality

The data holder should ensure data subjects that their personal information is stored securely and provide evidence of safety levels. Moreover, the company can't collect data that couldn't be stored according to cyber- and informational security standards.

Bonus principle: Accountability

To prove accountability, the company or individual should show they have data safety documentation. Accountability might be checked by DPO (data protection officer). Also, there are a bunch of documents and standards on GDPR compliance. For example, ISO 27001, ISO 27701, and PCI DSS.

Why GDPR Principles are important?

Data subject rights compliance

GDPR protects data subject's privacy rights. Among them, the most significant are Right to be forgotten, Right of access, Right to object, Right to rectification, Right of portability.

Right to be forgotten

All data subjects have a right to ask to delete their personal information from the storage they don't have lawful access.

The right to access

Law protects users' will to access their sensitive personal data on request. Also, access to stored data might be asked for during trials by lawyers. However, this right can be denied by data collectors if national security or law enforcement gives reasons to break this right.

The right to object

All data subjects have a right to refuse to give their personal information. However, companies can decline those objections if the organisation can satisfy the legal conditions of GDPR. In this case, the party who collects the data should notify the subject and explain the reasons behind declining.

The right to rectify

Human error leads to mistakes in personal data. Therefore, as a responsible party, the company need to give the possibility to rectify mentioned mistakes in the subjects' data.

The right of portability

All personal data the company collects and stores can be asked to be removed or transferred to third parties upon the data subject's request.

Who is the subject of GDPR compliance?

According to the general definition, the subject of GDPR compliance is the person or company whose data was collected and processed by a second or third party. Meanwhile, the data subject is a person who has personal information that organisations could use.

Gaining the trust of clients by demonstration conformance to the GDPR is a major advantage when collecting persanal data.

How do small and medium businesses benefit from GDPR?

Gaining clients' trust

Users need to be sure they control their data. The need to manage and protect your data appeared when cloud data thefts and blackmailing became a part of a new reality.

Avoiding damages and lawsuits

Regardless of their industry, most companies we can meet online collect users' information in various ways. Whether a hospital, a bank, or a school, all these organisations collect and process vast amounts of data. This data is used for companies' benefits and for running routine work processes.

Whatever the company's final goal is, the data collector is always responsible for not disseminating the information obtained. Noncompliance with the GDPR leads to fines from governments and compensations for customers.

GoWombat will help you to consider what your company needs to comply with the GDPR successfully. 

Go Wombat's experience

The steps we take to implement GDPR compliance are generally uniform, but the details are specific and customised to each client.

Consultation first

Before setting any strategy, we have to understand your business needs. We gather information on your business industry and niche, what budget you can create for GDPR compliance, etc.

Next, we check how much work we have on our way to fulfilling your needs. Sometimes, it might be website development according to GDPR or work on the application. Something our clients need only privacy policy creating. But whatever you need, we'll provide high-quality services.

Gap analysis

Risk assessment is also a crucial stage. Our specialists calculate individual risks with ways to overcome them.

The last stage of work is the implementation of GDPR compliance with the optimal methods for the customer.

What can you get for data protection within your company?

  1. Privacy policy creation. This document is a customised inner security "law" that covers your business needs.
  2. Internal GDPR compliance management.

However, we don't provide the physical level of data security.


In a nutshell, GDPR is a collection of regulations whose end purpose is the protection of people's personal data. GDPR became the new important rule of the game and every player should be aware of it. Moreover, strong GDPR principles of compliance will benefit you with a well-composed Privacy Policy.

Changes in law require quick business response and adaptation. Also, users' awareness and knowledge about their rights naturally increase. It will encourage companies to adhere more strictly to principles of the GDPR compliance.

Contact Go Wombat for help understanding what level of compliance and protection of sensitive data is necessary in your particular case. Then, together with a team of professionals, we will provide you with GDPR compliance and data protection.

How can we help you?