Privacy Hub

GDPR

ePrivacy

Is your website analytics GDPR-friendly?

The 7 principles in detail

The top line

GDPR’s seven principles are the foundation of everything when it comes to GDPR. Follow them, and you’re well on your way to compliance. They’re mostly common sense (and things you hope that responsible businesses would have in place anyway!) but common sense that needs to be documented and provable.

The seven principles of GDPR are laid out in Article 5 of the regulation1 — right near the start, which gives you a sense of how important they are. Everything else in GDPR is built on top of them.

Principle 1: Lawfulness, Fairness & Transparency

Plain English: have a valid reason, don’t be sneaky, and tell people what you’re doing

This principle is kind of 3-in-1. Each aspect of this principle has a different purpose.

Lawfulness means you need a valid legal basis for processing. You can’t just collect data because you want to. You need a legitimate justification that is within GDPR’s six bases.

Fairness means you don’t collect data in ways people wouldn’t expect or that work against their interests. Loading a tracking pixel before someone has a chance to consent? That’s not fair!

Transparency means people should know what you’re doing with their data, in plain language, before you do it. This is what your privacy policy, cookie banner and other notices around your website are for.

Roleplay time

Imagine this: you’re using Google Analytics in its default configuration, and you have those details in your privacy policy. But, because you want to maximise your data collection, you load the pixel silently before people interact with your consent banner.

Uh oh! You’ve just broken two of the three aspects of principle 1:

  • Lawfulness: You would be collecting data in a lawful way, because GA4’s data collection falls under GDPR’s legal bases for collection.
  • Fairness: You’re not being fair! Because you’re collecting data before people have a chance to consent to that collection.
  • Transparency: You’re also not being transparent! You may have info about your analytics data collection in your privacy policy, but you started collecting it before a visitor had the chance to read the policy.

Principle 2: Purpose Limitation

Plain English: only use data for what you said you’d use it for.

When you collect personal data, you tell people – in your privacy policy – why you’re collecting it. Purpose limitation says you have to stick to that reason. You can’t collect data for one thing and then turn around and use it for something else.

The only exception is “compatible purposes” — processing that’s clearly in line with what you originally said. But this has to be genuinely compatible, not a stretch. This principle can trip a lot of people up, especially when it comes to marketing.

Roleplay time

You collect email addresses for order confirmations through your online store, and don’t have any information about other ways you might use customer data in your privacy policy.

You decide you need to up your marketing game, so you run two campaigns:

  • You then start sending weekly marketing newsletters to the same list with special offers
  • You upload your email list to Meta ads to create a lookalike audience, to reach people similar to your existing customers

Which of these activities do you think is in contravention of principle 2?

Surprise, it’s both!

Unless you got separate, explicit consent for email marketing (usually called an “opt-in”), and you mentioned in your privacy policy that you will use your customers’ personal information for targeted advertising, that’s a purpose limitation breach.

Principle 3: Data Minimisation

Plain English: don’t hoover up data just because you can.

Only collect data that’s genuinely necessary for the purpose you’ve stated. GDPR describes this as data being “adequate, relevant, and limited to what is necessary.”2

This principle is particularly relevant to forms and data collection practices. Every field you add to a form is an additional piece of personal data you’re responsible for protecting.

One thing to bear in mind with this rule: it can actually be beneficial for your business. If you don’t explicitly need to collect PII, you can simply exist outside the realms of GDPR and enjoy your life. Why are you even reading this guide? Go outside and sit under a tree.

Roleplay time

You’re running an email newsletter where you send subscribers pictures of seashells that you found. You have 17 million subscribers.

To operate the newsletter you need two pieces of information:

  • Someone’s email address
  • Their first name (to personalise the subject line)

But in your signup form you are also including fields like:

  • Phone number
  • Annual income
  • Favourite type of seashell

Uh oh! You’re violating data minimisation. You don’t need people’s phone number to email them pictures of seashells. Your signup form should just include email and first name, because that’s all you need!

Principle 4: Accuracy

Plain English: keep data correct; if it’s wrong, fix it or delete it

Personal data should be accurate and kept up to date. You’re responsible for having processes in place to update or delete data when it becomes inaccurate, and for acting promptly when someone tells you that their data is wrong.

This connects directly to the right to rectification: if a user asks you to correct inaccurate information, you have one month to comply.

Similar to the data minimisation principle, this one is actually advantageous to your business. You want to be keeping accurate, up-to-date information.

Principle 5: Storage Limitation

Plain English: if you don’t need it anymore, get rid of it

You shouldn’t keep personal data for longer than is necessary (“necessary” being defined by the original purpose for which you collected it). This means setting data retention periods, and actually honouring them. Keeping personal data indefinitely “just in case” is not a retention policy, just FYI.

Different types of data warrant different retention periods. Purchase records might need to be kept for seven years for tax purposes. Analytics data? Probably 14 months maximum. Marketing email lists? Until someone unsubscribes.

Roleplay time

You decide to pivot your seashell email newsletter into an eCommerce store selling seashells. You announce it to your 17 million subscribers and 1 million of them sign up to an account.

Two years later, only 6 people have purchased seashells (you are beginning to suspect this is because they are available for free, on the seashore).

However, you still have the account details of the 999,994 people who signed up but never purchased, including their full names and addresses. In your privacy policy, your data retention policy for inactive accounts is two years. So, to stay compliant, it’s time to delete these user accounts!

Principle 6: Integrity & Confidentiality

Plain Tolkien: keep it secret, keep it safe.

Any personal data you collect must be protected against unauthorised access, accidental loss, destruction, or damage. This means appropriate technical and organisational security measures (basically, your safeguards should be in line with the riskiness of the data you’re holding).

For most websites, this means:

  • HTTPS everywhere: non-negotiable; any site still on HTTP is failing this principle.
  • Strong passwords and 2FA for admin accounts and tools holding personal data.
  • Encryption for sensitive data at rest and in transit.
  • Regular software updates: unpatched CMS plugins are a leading cause of data breaches.
  • Access controls: limit who can access personal data to those who genuinely need it.
  • Secure backups: backups containing personal data should be encrypted.

Real-life example time

No roleplay needed here – there have been multiple real-life sanctions handed out by privacy authorities under principle 6, as this is the part of the regulations that deals with data leaks, hacks or accidental disclosures. These include:

  • Spain fining UNIQLO €270,000 in 2024 for accidentally sending a payroll PDF that included the payroll details of about 500 other employees.3
  • Ireland fined Meta €265 million after scrapers stole the profile information of 500 million people due to inadequate security. 4

Principle 7: Accountability

Plain English: be able to show your working

This is the principle that ties everything together. It’s not enough to just say that you comply with the other six; you need to be able to demonstrate that you comply. Documentation, records, and processes aren’t optional extras; they’re part of the requirement.

What accountability looks like in practice:

  • A documented inventory of what personal data you process, and why.
  • Records of consent, including cookie consent (who consented, when, to what).
  • A data processing register (formal ROPA) if you’re large enough to require one.
  • Data Processing Agreements with all your vendors.
  • An internal process for handling subject access requests.
  • Evidence that you’ve considered privacy in your decision-making.

Real-life example time

One of your users complains to their national data protection authority because they suspect you’re holding information about them that you shouldn’t be.

The authority contacts you requesting evidence of compliance. Can you show them:

  • Your privacy policy (dated, accessible)
  • Your consent records
  • Your DPAs with Google and other vendors
  • Your process for handling user rights requests

If you can’t produce these things, uh oh, you’re not compliant!

Inevitable sales pitch!

If you’re struggling to make sense of your GDPR obligations for your website, add Etiquetta to make yourself instantly compliant.

We combine website analytics, performance monitoring, session replays and plenty more with zero cookies or PII involved. If you add third-party cookies or PII collection, our cookie and consent management function gives you a timestamped, auditable log of when each visitor consented, so you can demonstrate compliance when it matters.

Get started

Putting it all together

Now you’ve got a good understanding of all seven principles, but remember: they all apply equally, and the interplay between each the foundation of GDPR.

PrincipleTl;drWhat to have / what to do
1. Lawfulness, Fairness & TransparencyHave a valid reason, be upfrontLegal basis + privacy policy + cookie banner
2. Purpose LimitationUse data only for what you saidDocument purposes; don’t repurpose data
3. Data MinimisationCollect only what you needAudit collection; remove anything unnecessary
4. AccuracyKeep it correct; fix errorsUpdate mechanisms + act on rectification requests
5. Storage LimitationDelete it when you no longer need itSet retention periods; automate deletion
6. Integrity & ConfidentialityKeep it safeHTTPS, access controls, encryption, updates
7. AccountabilityShow your workingDocument everything; keep records of consent

If you can genuinely tick all seven of these, you’re well ahead of most websites.

For the areas you’re still unsure about, dig into the specifics: choose the right legal basiswrite a proper privacy policy, and understand how to handle user rights requests.

  1. https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng ↩︎
  2. https://www.edps.europa.eu/data-protection/data-protection/glossary/d_en ↩︎
  3. https://www.edpb.europa.eu/news/national-news/2024/spanish-supervisory-authority-fined-uniqlo-europe-ltd-violations-article_en ↩︎
  4. https://www.bbc.com/news/world-europe-63786893 ↩︎