Accountability and telling the principles apart
The GDPR reinforces every principle by adding accountability: it places the burden of proof on organisations to demonstrate proper implementation, and they may have to produce evidence at any time on a supervisory authority's request. This topic also drills the most-tested skill: telling the principles apart - purpose limitation (why), data minimisation (how much), storage limitation (how long), accuracy (correctness), and integrity and confidentiality (security).
Accountability is the principle that binds the others together: it puts the burden of proof on organisations to show they have implemented the principles properly, and they may be required to present evidence at any time upon a supervisory authority's request.
| Principle | Core question | One-line meaning |
|---|---|---|
| Lawfulness, fairness, transparency | Are we allowed and open? | Have a legal ground; be fair and clear with people |
| Purpose limitation | Why was it collected? | Use only for specified, explicit, legitimate (and compatible) purposes |
| Data minimisation | How much? | Collect only relevant, necessary, adequate data |
| Accuracy | Is it correct? | Take reasonable steps to keep data accurate/up to date |
| Storage limitation | How long? | Keep no longer than necessary; then delete/anonymise |
| Integrity and confidentiality | Is it secure? | Protect with appropriate technical/organisational measures |
| Accountability | Can we prove it? | Demonstrate compliance with all of the above |
Purpose limitation = WHY (what it's for). Data minimisation = HOW MUCH (only what's needed). Storage limitation = HOW LONG (not kept too long). Map every scenario to one of these three questions.