Building Trust Beyond Compliance

Data Privacy Principles That Shape Policy

Data Privacy Principles That Shape Policy

While the United States does not yet have a nationwide data privacy law, this might change in the not-too-distant future. The data privacy principles established in the European Union’s General Data Protection Regulation (GDPR) are expected to influence the privacy legislation developing in the US. Let’s take a closer look.

GDPR Data Privacy Principles

The General Data Protection Regulation regulates data privacy across EU member states and countries. Considered by many as the strongest data privacy regulation in the world, it sets strict guidelines for processing personal data. Companies and individuals that overstep these boundaries can find themselves in hot water, facing steep fines and other penalties.

The GDPR upholds seven data privacy principles outlined in Article 5: “Principles relating to the processing of personal data.” These are:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation and responsible elimination
  • Integrity and confidentiality
  • Accountability

Let’s examine each data privacy principle in more detail.

Lawfulness, Fairness, and Transparency

The GDPR stipulates that companies involved in the processing of personal data should proceed in a lawful, fair, and transparent manner in relation to data subjects.

Lawfulness. Companies processing personal data must be able to identify and present a lawful basis for doing so. Personal data should not be handled in a way that violates the law, users’ rights, or regulatory standards.

Get Treasure Data blogs, news, use cases, and platform capabilities.

Thank you for subscribing to our blog!

Fairness. Organizations that process personal data must consider and justify any adverse impact on data subjects. Just because companies have the capability to use information, the ability itself doesn’t always justify data collection.

Transparency. Data subjects must be informed of their privacy rights and how the company handles their personal information.

Purpose Limitation

This principle holds companies accountable for their data processing practices. The GDPR states that personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…”

Companies must document their data collection purposes and adhere to the scope of those outlines as limits on tasks and timeframes. If they are compelled to use data outside their stated purpose, the new purpose must still be aligned with the first principle of lawfulness, fairness, and transparency.

Data Minimization

This principle limits the amount of data collected only to that which is necessary for companies’ stated purposes. In other words, organizations may collect the information they need and nothing more. Thus, the GDPR restricts companies from processing and storing extraneous information about data subjects.


The GDPR charges the companies and organizations collecting data with the responsibility of ensuring its accuracy. If the information is false, misleading, or outdated, organizations must take the necessary steps to correct it as soon as possible. This principle, along with data minimization, sets quality standards for personal data that organizations collect and keep.

Depending on the nature of the data and its purpose, organizations may need to update their records periodically to preserve accuracy.

Storage Limitation and Responsible Elimination

This is another principle that sets data standards for companies collecting personal information. As long as the data is necessary for the company’s stated purposes, it may be stored. Once that purpose has been fulfilled, companies must expunge it from their records through responsible elimination or deletion.

This GDPR principle minimizes the risk of personal information becoming inaccurate, outdated, or vulnerable to unnecessary threats because of extended storage periods.

Integrity and Confidentiality

According to the GDPR, personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).” In other words, organizations must make every effort to treat customer information responsibly and ethically. The broader value statements within this principle could be seen to encompass all other directives for ensuring data security.

While data privacy is largely defined by laws, companies and organizations define data security by establishing their own best practices. Because they are responsible for initiating safeguards against internal and external threats, companies and organizations must have a data security plan that combines the right people, processes, and technological solutions for keeping data safe and confidential.


This last principle requires companies to take responsibility for their data practices and own their actions. Data controllers or other parties who determine the purpose of collecting and processing data must not only comply with all GDPR principles but must also demonstrate compliance. Companies and organizations can do this by documenting their processes, frequently examining their data assets, and reporting on data self-audits.

In view of the GDPR’s success, companies and organizations in the U.S. need to prepare for similar requirements under a possible nationwide data privacy law. These requirements are likely to be guided by the GDPR’s principles of lawful data processing, purpose limitations, data minimization, accuracy, storage limitation and deletion, integrity and confidentiality, and accountability.

Manage Data Privacy And Compliance With Treasure Data

Treasure Data Customer Data Cloud provides companies with the highest level of data privacy and data security around the world. Our enterprise customer data platform (CDP) empowers users to manage data privacy and compliance easily.

Use Customer Data Cloud to:

  • Collect and centralize customer data from all sources in one powerful platform
  • Unify customer profiles using online + offline data
  • Keep customers’ personally identifiable information (PII) safe
  • Automate workflows for DSARs and privacy requests
  • Keep global teams privacy-regulation compliant
  • Manage permissions by region, organization, role, and more
  • Integrate with authentication services for secure identification
  • Create premium audit logs for monitoring activity
  • And more

To discover how you can use Treasure Data’s Customer Data Platform to apply data privacy principles, download our white paper today. Want to learn more? Request a demo, call 1.866.899.5386, or contact us for more information.  

Building Trust Beyond Compliance

Jim Skeffington
Jim Skeffington
Jim Skeffington is a Technical Product Marketing Manager at Treasure Data. He has years of experience working with data, including as a financial analyst, data architect, and statistician. Recently, he was recognized by the Royal Statistical Society for his thought leadership in the fields of statistics, data science, and data research. He is also proud to serve as a Captain in the United States Marine Corps.
Related Posts