General Data Protection Regulation (GDPR) has been around long enough for us all to understand it’s basic data protection principles. While the regulation itself may not be new to businesses anymore, there are still new businesses, processes and situations appearing every day across the world. These new businesses, processes and situations must still comply with GDPR.

This blog looks at the 7 key principles of GDPR, what they are and what businesses are expected to do to comply with them, and how to ensure GDPR compliance in 2022.

What are the 7 Key Principles of GDPR?

There are 7 principles of the General Data Protection Regulation which all businesses should be aware of. By creating a culture of compliance around these principles, organisations can rest assured they are well on their way to GDPR compliance.


Setting the scene

To practically demonstrate how the 7 key principles of GDPR can affect business practices, we will follow a newly created company, NeltaDet, as they begin their journey to be GDPR compliant. NeltaDet is building a mailing list to receive a monthly compliance newsletter. They aim to capture website visitors’ details through their online newsletter sign up form or an opt-in tick box on their product enquiry form.

Lawful, fair and transparent

The first GDPR principle consists of 3 components:

1. Lawful – this refers to the gathering of people’s data. There must be a lawful reason for you to process personal data. There are 6 legal reasons deemed as lawful, these are:

  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital Interests
  5. Public task
  6. Legitimate interest

More information on these can be found here.

2. Fair –  this refers to the scope of personal data processing. This should be limited to what is expected by the person whose personal data is being processed.

3. Transparent – when dealing with an individual’s personal data, GDPR guidelines require you to communicate clearly and simply about how that person’s personal data is intended to be used.

For NeltaDet, using a voluntary form and tick box for website visitors to sign up to would be classed as lawful consent. Transparency is achieved by informing the visitor about the compliance newsletter and how their data will be handled by pointing towards NeltaDets privacy policy. When processing the data, NeltaDet would have to be careful to ensure they only used the data fairly, for example it would be a breach of GDPR to use this data to send Health and Safety training emails to.


Purpose Limitation

Purpose limitation ensures that businesses only process data for it’s original purpose. Personal data should not be used for purposes that it wasn’t originally intended for – if it is used for another purpose then the individual, and business, responsible could be fined or have criminal charges pursued.

NeltaDet’s newsletter signup process automatically stores the IP address of the individual on sign up. At the time, this was so NeltaDet could keep a record of how and when NeltaDet gained consent to send the newsletter to this individual. However, someone in the marketing team now wants to repurpose this personal data and use it to send out geographically targeted email campaigns based on their IP addresses. This breaches GDPR and could result in a fine and or criminal charges against individuals and the business. Information should only be used for the purposes originally stated when collecting the data.

Data Minimisation

When collecting customer information, it can be tempting to collect as much data as possible to maximise the information you have on your customer database. However, the GDPR principle of data minimisation requires businesses to only collect the information they need. Long gone are the days of long sign up forms and endless questions. GDPR ensures that the collection of personal data collection is minimised to what is needed, not what is wanted.

For NeltaDet’s compliance newsletter sign up form they should only be asking for two pieces of information – the individual’s name and email address. This is the only information required to send their newsletter and no other information should be requested.



Any businesses data should – at the very minimum – be accurate regardless of GDPR. However, under GDPR guidelines, personal data should be maintained and kept up to date. The data controller and/or data processor should take reasonable measures to ensure personal data remains up to date.

The ICO states that where a business uses it’s own sources to compile personal data, then it should ensure that the information is accurate. Despite this, sometimes, you may not be able to check the accuracy of the information that comes from a third party. In this case, you should:

  • accurately record the information provided;
  • accurately record the source of the information;
  • take reasonable steps in the circumstances to ensure the accuracy of the information;
  • and carefully consider any challenges to the accuracy of the information.

Regarding NeltaDet’s situation, they should ensure that their data controller/processor regularly cleans their data and ensures it is accurate. It would also be good practice to give all subscribers a preferences portal where they can manually edit their own personal data and unsubscribe if they want to, helping to ease the workload for NeltaDet and improve the quality of their data.

Storage limitations

Under GDPR, businesses should not store data for longer than they need it. They should also be able to justify why any data is stored. It is good practice to develop a data retention policy that stipulates how long personal data will stay on file – this helps to satisfy GDPR documentation requirements.

Much like the principle of data accuracy, businesses should review the personal data they hold regularly. Any data that is no longer needed should be erased regularly to meet storage limitation guidelines, and business data is kept clean.

Individuals also have the ‘right to erasure’ which allows them to request their data gets deleted. However, there are scenarios where businesses can still store personal data even if an individual has submitted an erasure request. To better understand the right to erasure, check out our Right to Erasure online training course.

For NeltaDet’s compliance newsletter, storage limitations are straightforward. The individual provided consent to use their data to receive newsletters, and NeltaDet has implemented a preferences management portal to help subscribers make their data more accurate. When an individual unsubscribes from the compliance mailing list, their data must be deleted from the system, if they are not subscribed to anything else and are not a customer. This is because their only purpose to hold their data was to provide them with the compliance newsletter. Once they unsubscribe, they no longer have a reason to store this data.

However, if the individual unsubscribing from the compliance newsletter is an existing customer with active subscriptions to their other newsletters, then NeltaDet can continue holding their data on the system, without sending the compliance newsletter to them.

Integrity and confidentiality

GDPR’s integrity and confidentiality principle derives from two sides of the CIA triad. This principle ensures any business dealing with personal data has appropriate security measures in place to protect it from both internal and external threats.

Integrity – refers to protecting personal data from manipulation, ensuring information stays correct.

Confidentiality - refers to protecting personal data from unauthorised access. Ensuring cyber criminals and other unauthorised people cannot access a business’ stored data, keeping it confidential.

NeltaDet needs to ensure it has proper systems in place to ensure its data is secure. Deploying a password-protected system like a CRM is a great place to start, but this is just a basic level to protect the personal data a company holds. Discover our range of data protection courses here.


This is the final principle of GDPR, and it is concerned with taking accountability for GDPR compliance in a business. Accountability should involve more than just tick-box exercises. It requires organisations to take responsibility for their actions, and how they comply with the other GDPR principles. Organisations must demonstrate that they have appropriate measures and records in place to highlight their accountability.

Looking at NeltaDet’s compliance newsletter, NeltaDet must highlight the lawfulness principle/consent given by the individual, as well as documenting how they initially proposed to handle this data. Then ensuring they complied with the rest of the GDPR principles, documenting their compliance procedures and any potential risks or breaches of GDPR.

How to ensure GDPR compliance in 2022

Training. High quality, comprehensive training for all staff is the only way to ensure GDPR compliance in 2022. GDPR is a vast landscape that affects every person and every department within an organisation. High quality, thorough and regular training is essential to ensure GDPR compliance. Non-compliance can be significantly financially and reputationally damaging. Employees can also face potential personal liability in a court of law. Every individual in a business should understand their role to play in assuring GDPR compliance.

eLearning has evolved, and 2022 is looking to be the real post-Covid test businesses will face. Production is due to rise and employees are reluctant to return to the workplace full-time, bringing a new set of challenges. Traditional in-house training and compliance procedures no longer work, and a switch to digital training has already begun. Organisations must ensure they switch to online GDPR training or face potential compliance issues in the future. An organisation’s GDPR compliance is only as good as its weakest link.

We provide a comprehensive collection of online data protection courses which your business can use on our Astute eLearning platform (optional). Our courses are CPD accredited and have been developed alongside GDPR and Data Protection experts to ensure their content is accurate and engaging. By utilising our Astute platform you easily identify and close any skills or knowledge gaps, learn on the go with a tablet or smartphone with our cloud based support, easily report on GDPR training to assist GDPR compliance and much more.

For NeltaDet, using a voluntary form and tick box for website visitors to sign up to would be classed as lawful consent. Transparency is achieved by informing the visitor about the compliance newsletter and how their data will be handled by pointing towards NeltaDets privacy policy. When processing the data, NeltaDet would have to be careful to ensure they only used the data fairly, for example it would be a breach of GDPR to use this data to send Health and Safety training emails to.

The UK’s alert level for COVID-19 was recently downgraded from level 4 to 3 and, in light of this, we’ve seen many businesses cautiously reopen and embrace a new kind of normal. Still, the easing of lockdown means the pressure is on for organisations to remain ultra-vigilant and to implement all measures possible to protect their customers and employees from risk.

Understanding health and safety best practice is more important now than ever before, and whether your organisation is already open, or plans to implement new working from home measures long-term, there are regulations employers cannot afford to neglect.

To help ease the transition, we’ve spent some time uncovering the 8 laws your organisation is most likely to unwittingly break. With employee wellbeing in the balance (not to mention companies can face heavy fines if found guilty of non-compliance at an employment tribunal), it’s important your business doesn’t drop the regulatory ball.

Here are 8 laws you could be breaking right now:

  1. You don’t consider your employee’s request for flexible working

It’s likely many organisations will consider more flexible working policies following the coronavirus outbreak. Senior management teams around the country have been pleasantly surprised by levels of productivity from remote workforces, and, likewise, many employees have enjoyed having no commute and a better work/life balance. Equally, returning to the office ‘as usual’ could result in high levels of anxiety amongst employees, with a recent survey confirming that many of us have concerns about returning to work. With this in mind, employers should remember the Flexible Working Regulations 2014 which state that an employee who has been “continuously employed for a period of at least 26 weeks is entitled to make a flexible working application”. In fact, employers can only refuse a request for one of eight reasons, and this reason must be given in writing alongside details of your company’s appeals procedure.

Possible fine for non-compliance: You could be required to pay your employee up to 8 weeks’ pay. A week’s pay is currently capped at £538 and is increased on 6 April every year.

2. You aren’t considering the health and safety of remote workers

Employers with teams of more than 5 people have obligations under The Health and Safety at Work Act 1974, The Display Screen Equipment Regulations, and The Provision and Use of Work Equipment Regulations to safeguard the health, safety, and wellbeing of their workforce – even if that workforce is working from remotely. This means risk assessments must be completed (they can be self-assessments) for all employees working from home to highlight and mitigate any areas of high risk. It is the employers’ responsibility to implement any changes necessary that are uncovered by the risk assessment.

Given the current circumstances, and in their eagerness to move the workforce to the safety of their own homes, it’s possible that employers may have overlooked their responsibility for home workers’ health and safety here. Don’t forget, furloughed staff are still employees with employment rights and, as such, are owed the same duty of care as members of staff still able to work.

Possible fine for non-compliance: The Parker Hannifin Manufacturing Ltd case demonstrates that organisations can be heavily fined for breaching regulations. This firm was fined £1 million for breaching regulation 3(1) of the Management of Health and Safety at Work regulations and Section 2(1) of the Health and Safety at work Act 1974.

3. You fail to provide staff with the right equipment

Following on from above, it’s the responsibility of employers to ensure employees have completed a display screen equipment assessment (although this can be undertaken as a self-assessment with appropriate guidance). However, there’s also a non-delegatory duty to fund costs under The Health and Safety (Display Screen Equipment) Regulations which applies to workers who use DSE daily and continually for more than an hour at a time for the provision of eye tests and of special corrective equipment.

For example, you may have come across organisations that provide employees a budget with which to purchase equipment and appliances they need to work safely, e.g. a supportive chair, footrest, or wrist support. It’s worth remembering that this equipment remains the property of the company for return upon request.

Possible fine for non-compliance: Recent legislation removed the fine cap (previously £5,000 – £20,000) and allowed magistrates courts to give out unlimited fines for offences committed on or after the 12th of March 2015.

4. You neglect to consider your employees mental health

According to the Health and Safety at Work Act 1974, companies must assess and mitigate the risk of work-related stress amongst employees. Given recent circumstances, these levels are potentially higher than normal (employees working from home are reporting higher workloads and longer work hours in some circumstances, as well as the additional stress of caring for children and other dependents during lockdown). Keeping open communication between managers and team members, scheduling in regular breaks throughout the day, and offering regular company updates to keep employees informed about the business, are all things you can do to help manage stress levels at work.

Possible fine for non-compliance: Employees can be awarded compensation Working Times Regulations breaches, where they suffer serious mental or physical consequences as a result of the circumstances imposed by their employer.

5. You haven’t provided new employees with written particulars of employment

It has been encouraging to see many organisations continue to hire new staff during lockdown (ourselves included!) with interviews being carried out virtually using video conferencing software. Remember, though, virtual employment offers do not excuse the need for written particulars of employment. In fact, under the Employment Rights Act 1996, all new members of staff must be served in writing with information about holiday rights, sick pay entitlements, and information about notice agreements within two months of joining. Additionally, any changes to this contract must also be served in writing or companies could face a breach of contract claim.

Possible fine for non-compliance: Failure to have written particulars: 2-4 weeks pay. Currently a week’s pay is capped at £538 but is increased on 6 April every year.

Failure to consult on changes to a contract could result in a fine per employe of up to 90 days gross pay (if this involves 20 or more employees) or could result in a breach of contract claim or constructive unfair dismissal claim in which the compensatory award is currently capped at 52 weeks gross pay or £88,519 whichever is less.

6. You haven’t given employees information on the company’s health and safety policies

The Health and Safety at Work Act 1974 states that business leaders must “prepare and, as often as may be appropriate, revise a written statement of his general policy in respect to the health and safety at work of his employees and the organisation and arrangements for the time being in force for carrying out that policy, and to bring the statement and any revision of it to the notice of all his employees.” This directive is also covered under the The Management of Health and Safety at Work Regulations 1999. Worryingly, according to a survey by data capture app provider, WorkMobile, as many as 65% of staff have not received any information about their company’s health and safety policies. Yikes!

Possible fine for non-compliance: The maximum penalty for failure by an employer to comply with a general duty imposed by HSWA 1974, ss 2–7 on summary conviction is six months imprisonment or an unlimited fine or both. On indictment, the maximum penalty is two years imprisonment or a fine or both.

7. You aren’t reporting workplace injuries

There are certain workplace injuries, diseases, and near-misses that must be reported to the Health and Safety Executive (HSE) in the UK. This directive is covered under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013, also known as RIDDOR. Additionally, organisations employing more than 10 members of staff are required by law to keep an accident book and store it safely for 3 years.

Possible fine for non-compliance: Failure to report ‘reportable’ accidents is a criminal offence and the responsible person can be sentenced in the Magistrates’ Court with a fine up to £20,000, or in the Crown Court with an unlimited fine. Individuals deemed responsible for non-reporting can also face a period of imprisonment for up to two years.

8. You aren’t protecting staff from the risks of workplace diseases

Does your workplace have air-con, hot and cold water systems, or on-site showers? If so, you need to be aware of hidden dangers like Legionnaires’ disease, an uncommon yet potentially fatal form of pneumonia. Legionnaires’ disease can spread to humans when we inhale small water droplets containing the bacteria. Given the amount of time many of us spend in the office, it’s important to inspect, maintain, and regularly service all water management systems your employees use (think water tanks, thermostatic mixing valves and water treatment equipment).

Possible fine for non-compliance: G4S Cash Solutions has been fined £1.8 million after failing to reduce the risk of Legionnaires’ disease from its water systems

Final Word

I think we can all agree that 2020 has been a tough year so far, and we want to reiterate that the information above is not meant to scaremonger or cause further alarm. Rather, it’s a reminder about the legislative responsibilities all business owners have to protect their biggest asset – their staff.

With special thanks to Richard Nelson LLP for their expert advice on this topic.