GDPR principles

Lawfulness: First and foremost, all of the personal data processing that you do must not break the law. Clearly, the processing of personal data for the purposes of criminal activity would be unlawful.  However, processing may also be unlawful if it results in:

  • a breach of a duty of confidence. Such a duty may be stated, or it may be implied by the content of the information or because it was collected in circumstances where confidentiality is expected – medical or banking information, for example;
  • your organisation exceeding its legal powers or exercising those powers improperly;
  • an infringement of copyright;
  • a breach of an enforceable contractual agreement;
  • a breach of industry-specific legislation or regulations;
  • a breach of the Human Rights Act 1998. The Act implements the European Convention on Human Rights which, among other things, gives individuals the right to respect for private and family life, home and correspondence.

Lawful Basis under GDPR

GDPR also requires that you have a valid lawful basis in order to process personal data.  There are six available lawful bases for processing (GDPR Article 6(1)(a)-(f). No legal basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on the purpose of the data processing.

Fairness: You must use people's personal data only in ways they would reasonably expect and that will not give rise to any unjustified adverse affects to the person involved.  Fairness also requires that you ensure that people understand how you intend to use their data and that what you do in practice matches up with what you have said.

Transparency: This requires that you inform people clearly and in understandable language, how you intend to use their personal data.  


Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.


Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”, i.e. no more than the minimum amount of data should be kept for specific processing.

Organisations should only process the personal data that it actually needs to process in order to achieve its processing purposes


Data must be “accurate and where necessary kept up to date”.  Data holders should build rectification processes into data management / archiving activities for subject data.


Personal data should be “kept in a form which permits identification of data subjects for no longer than necessary” - i.e. Data no longer required should be removed.


Data controllers and processors should handle data “in a manner [that ensures the] appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage”.



  • GDPR Article 5(2) requires that the data controller "be responsible for, and be able to demonstrate, compliance with the principles"

  • All employees, researchers or students in an organisation, who collect and/or controll the content and use of personal data are individually responsible for compliance with GDPR


  • What personal data is being collected, processed and stored?
  • How has the personal data been obtained?
  • What is the legal basis for collecting, processing and storing each of the personal data sets?
  • How is the data being processed?
  • Who can access the data?
  • What security measures are in place?
  • Systems to facilitate access to data, correction of errors, timely deletion of data, removal of data on request
  • Comprehensive but proportionate, governance measures (including maintenance of documentation on data processing activities)
  • Effective communication and/or training programmes to ensure staff who collect and process personal data are aware of their GDPR obligations.
Where can I find the "principles" of GDPR?

GDPR Article 5

GDPR Recitals 26 and 39


This guidance has been prepared by the HRB to help researchers in the health domain comply with GDPR requirements.

It is intended to be general guidance for educational and informational purposes only.

It is not legal advice.