Eight Principles Of The Data Protection Act and Examples For Each Principle.

Written by: Lawore Olufemi

Digital Sales Optimiser At Caring For Care

Have you ever given your email, phone number, or other personal details to a business? If so, that’s considered personal data, and there are laws about how companies can use it. The data protection principles make sure companies use your information fairly and responsibly, and that you have control over it.

In 2011, 77 million people with account with Sony from PlayStation had their personal data stolen. These are names, addresses and other personal data of people.

Also in July 2017, 5.9 million credit and debit cards information were stolen from Dixons Carphone (renamed Curry’s) in the UK.

It goes beyond that as in addition, 10 million personal info such as surname, last names, post codes, email addresses and details of failed credit cards were stolen.

They were fined by the ICO £500,000 after full investigations were carried out in April 2018.

Our shopping and private messages make modern life easy, but can we trust giving personal details without worrying?

What should we expect from companies handling our data, considering what’s important to all of us?

What Counts as Personal Data?

Any information that can identify you counts. This includes obvious things like:

  • Full name
  • Home address
  • Email address
  • Phone number

It also covers less obvious information like:

  • IP address
  • Cookies tracking your activity online
  • Purchase history
  • Your social media posts and photos

Basically anything that could allow someone to know it’s specifically about you rather than just general facts.

The principles explain it this way:

  • Don’t use people’s info without asking or for things they wouldn’t expect.
  • Be upfront about why you need their info and what you’ll do with it.
  • Keep their info safe and protected.

This article will explain UK data protection in simple terms, so you can understand your rights and what companies should be doing.

Table of Content

What is a Data Protection Act?

A Data Protection Act is a law that tells companies how they can use information about you, like your name, birthday, address and phone number.

We call this “personal data”. It gives you rights about your information too.

From Paper to Computers

Way back before computers, UK companies only stored information about customers on paper in filing cabinets.

As technology improved, businesses started using computers to store everyone’s personal details instead, since it was easier.

But some people worried companies might lose information about them or use it in unfair ways without rules.

The First UK Data Protection Laws

So in 1984 the UK made its first Data Protection Act to keep personal data safe. However, the internet and digital technology kept advancing fast.

Over time, more customer and employee information went from paper files to being stored online in huge databases.

With this explosion of personal data available, an updated law was needed so people knew companies couldn’t just do whatever they wanted with it behind the scenes.

Stronger European Rules

In 2016, the European Union (EU) created an important new data protection regulation called the General Data Protection Regulation or GDPR for short.

As the UK was part of the EU back then, this also applied to Britain from 2018.

The GDPR gave residents of EU countries much more control over their personal details held by businesses.

When the UK left the EU in 2020, we kept essentially the same strong privacy rights and company responsibilities around data use.

Data Protection Today

The UK’s current main data protection law remains the Data Protection Act 2018, which includes all the key GDPR rights and principles around companies being fair, honest and safe with private information about you and your family.

So today all British businesses must follow strict legal guidelines about collecting and handling any of your details, or risk getting in serious trouble!

Training staff on data protection gdpr laws is now important to limit risk.

The rules aim to protect customers while still allowing companies to act reasonably.

Key 8 Principles for Companies That Hold Your Data

In the UK, the main law around data protection is the Data Protection Act 2018.

It lists 8 key principles that any business collecting or storing personal data must follow:

  1. Fair and lawful use: They have to be open about why they want your details and what they’ll use them for.
  2. Limited purpose: Your data can only be used for the specific reasons you agreed to.
  3. Relevant data: They should only ask for information necessary for those purposes.
  4. Accurate data: They must keep your records updated.
  5. Time-limited storage: They shouldn’t retain data longer than needed.
  6. Security: Your data must be properly protected from people who should have access to it.
  7. Accountability: Companies need to show how they’re obeying all of the above.
  8. Rights regarding your data: You have certain rights around accessing your data, having it corrected or deleted, and objecting to some uses.

These principles protect you by limiting what companies can do behind the scenes with information about you. They aim to give you more control.

Explaining the Eight Principles of Data Protection Act

1. Fair and Lawful Use of Data

Companies must be upfront about why they want your personal details and what they’ll use them for. Over 75% of UK adults say transparency from businesses is important to them.

For example, if a shop asks for your email to send receipts or delivery updates, that’s okay.

But they shouldn’t automatically add you to any other mailing lists. They need your permission first.

More Explanation: Companies Must Be Fair and Clear About Your Information

Companies Must Be Fair and Clear About Your Information

  • Companies should have good reasons if they want to collect or use any of your personal information, like your name, age, phone number, and address.
  • They should explain the reasons clearly to you and get your permission.
  • They should only use information about you in fair and helpful ways.

Why this matters:

  • It stops companies from getting your information secretly or in unfair ways.
  • It means you understand why they have your information and what they use it for.


A math game asks clearly upfront if it’s okay for a player to share their birthdate. This way the player chooses what to share rather than the game sneakily taking information.

2. Using Data for Limited, Specific Purposes

Once you give your information for something like entering a contest or making a purchase, companies can only use it for that exact purpose you agreed to. Your details can’t be shared across the business for other reasons without asking you first.

In a 2021 survey, 90% of British adults said companies should not be able to use personal data for other undefined business purposes without consent.

More: Businesses Must Only Use Your Information How They Said They Would

Businesses Must Only Use Your Information How They Said They Would

  • If you let a company have some of your information, they should only use it for the reasons they told you they needed it.
  • They shouldn’t suddenly decide to start using it for other things you didn’t agree to.

What they need to do:

  • Before collecting any of your data, they must specifically explain how they intend to use it.
  • They cannot then just change their minds later and use it other new ways unless you explicitly agree.


When a clothing store asks for addresses to send orders, they can’t suddenly start giving them to other companies to advertise to unless they ask first.

Also, they should not send you marketing information unless you agree to it.

3. Only Collecting Relevant Data

Companies shouldn’t collect or keep anything beyond information strictly needed for the task.

For example, a grocery store might need your address to arrange deliveries but has no reasonable need for, say, your ethnicity or political opinions just because you opened an account.

In one case, a fashion retailer recorded staff holiday information without any justification and was fined £40,000 by the UK Information Commissioner’s Office (ICO).

More: Businesses can only ask for information they really need

Business can only ask for information they really need

  • Companies should try not to collect more data about you than they actually have to have to do what they said they would.
  • They shouldn’t gather extra things just because they could find uses for it later.

Why this matters:

  • It protects your privacy more if they only have the minimum details they really require right now.


A pizza shop only needs payment info and delivery address – not anything else private like health records.

4. Keeping Data Accurate

Any company holding onto details about you for ongoing business must keep them updated in their system. Your address might change if you move, or you could get a new phone number or email address.

According to the UK’s data protection regulator, around 25% of complaints relate to poor record-keeping, including holding onto old unnecessary data.

Business Must Make Sure The Information They Keep is Accurate

Make Sure Information Is Accurate

  • If companies have information about you in their records, they need to take steps to make sure it’s right and up-to-date.

Why this matters:

  • Out-of-date or wrong information could cause you problems when they try to use it.


A tutoring service lets parents update any contact info that has changed so they have the right details.

5. Remove Data When No Longer Needed

Once the purpose is over, such as finalising a purchase you made, companies shouldn’t keep personal information forever.

Within limits what’s “needed” can be a matter of judgment however.

For example, an online retailer will typically keep past purchase records for potential returns, warranties, or accounting reasons.

But they shouldn’t maintain all the personal details associated with those old sales indefinitely without good cause.

Business Remove Data When No Longer Needed

Keep It Only As Long As They Have To

  • After companies use your information for something like a purchase or contest you entered, they shouldn’t just keep it forever.
  • They need good reasons to store it for long periods.

Why this matters:

  • The longer they have it, the more chances for it to get hacked, lost, or misused.


If an art class takes phone numbers for a showcase invite, they should delete them after the event instead of keeping them forever.

6. Protecting Your Data

Companies must use state-of-the-art safeguards against things like computer hacking, theft of files or IT equipment, unauthorized staff access, and human errors leading to data getting out.

Fines for UK companies with data breaches now run routinely into the millions – emphasizing authorities take protection responsibilities extremely seriously nowadays.

Business Should Take Good Measures To Keep People’s Information Safe

Take Safety Steps (Protecting Your Information)

  • Companies must put in place security measures so no unauthorized people can ever access, change, or take any data about their customers or employees.

Why this matters:

  • It keeps your private details safer from criminals who might try to steal or misuse them.


Private medical details need strict logins requiring staff to scan fingerprints to view them rather than just guessing passwords.

7. Taking Responsibility for Data

Businesses that collect information about customers or workers need to take good care of it – by law!

This means having people in charge to watch how things are done, teaching everyone the right way to handle information, checking regularly to make sure things are working well, and having a plan if something goes wrong.

Under 2018 laws, over 10,000 UK firms now require an appointed Data Protection Officer to stay on top of this.

Business Should Make Sure That Every Information is Handled Correctly

Check That Everything Is Being Handled Correctly

  • Companies should watch over themselves to make sure all employees are properly protecting customer data and anyone’s privacy rights.

Why this matters:

  • It means your information stays protected company-wide over time, not just by some departments.


Just like banks have someone who makes sure money is safe, they also have someone who makes sure your info is safe!

This person checks everything regularly to see if things are being done the right way, following the privacy rules.

8. Respecting Your Rights

Remember, the rules today give you more power over your information!

You can now ask companies to:

  • Delete your data: If you want it gone, they have to get rid of it.
  • Stop using it in ways you don’t like: Don’t want them using it for something specific? You can say no.
  • Fix it if it’s wrong: Got an error in your information? Make them change it!
  • Give you a copy: Want a backup of your info? They have to provide it!

Over 175,000 people made formal data subject access requests to UK companies in 2021.

So don’t be afraid to speak up if you ever have any concerns about your personal information!

Companies Must Have Genuine Reasons for Collecting Your Data

Have Genuine Reasons for Collecting Your Data

  • Companies can’t gather information about you “just because.” They need to have legal reasons that make sense for why they need it.

Why this matters:

  • It prevents gathering personal data for no good purpose or without your permission.


  • A shop asks for your phone number so they can call if there are any issues with a delivery you ordered. This is a valid reason that benefits you.
  • A company wants to use your buying habits to see what other products to market you. They ask your approval to examine your personal buying record for patterns. This data use can have benefits for them and potential convenience for you, if you agree.
  • A stranger approaches you asking for your home address and daily plan for no explained reason. They have no legal reason for ask for these personal details.
  • An app for sharing school project photos with classmates asks to access your entire phone contacts list with no reason. There’s no logical reason related to the app’s purpose that requires everyone’s private data.

UK Data Protection After Brexit

The UK’s Data Protection Act 2018 was introduced partly to align with Europe’s General Data Protection Regulation (GDPR).

But then the UK left the EU in an event called “Brexit”. Now the UK makes its own rules on what companies here have to do to help protect your personal details.

In 2021, the UK government said it wants to update its data protection laws a bit. However, they still want to keep all the key rights people have around:

  • Giving your permission (consent) before companies can take or use your information
  • Being able to ask what data a company has about you
  • Telling companies to delete your personal information if you want

The UK says it wants to have some of the strongest privacy laws in the world. And any changes have to be debated and agreed in its Parliament first.

What’s the Information Commissioner’s Office?

The Information Commissioner’s Office, or ICO, oversees the privacy rules that organisations have to follow in the UK.

They help protect people’s personal information and data.

What They Do

  1. Come up with clear laws saying what businesses can and can’t do with details about customers like your name, your age, where you live, etc. These “data protection” laws matter because they keep your stuff private.
  2. Check that organisations properly follow important privacy rules when they gather and use information about people. If a business breaks the laws, the ICO investigates.
  3. Give guidance to help organisations understand the right and wrong ways to handle private customer data.
  4. Penalise any business that really messes up on privacy – like secretly sharing or selling people’s information when they shouldn’t.
  5. Teach the public useful rights – like being able to ask what data an organisation has on you, or making them fix outdated information they have wrong.

Summary: Putting You in Charge

The point of having data protection laws in the UK is to make sure companies explain clearly why they need your information and what they intend to use it for.

The rules are there to protect your rights and choices about your own details.

key points to remember about the eight data protection principles:

  • Require companies to be totally open and honest about why they want your information in the first place.
  • Make sure they obtain your permission and consent first before taking any data about you.
  • Let you access any information a company has stored about you when you ask.
  • Allow you to request they delete your personal details if you tell them to.

At its core, data protection tries to put regular people in charge of their own information as much as realistically possible.

The choice about what happens to your data should be yours.

Companies shouldn’t gather or spread your details without explaining why or getting your approval first.

Let us Help you

We’ll help you find the right course for your needs. Tell us a little bit about your situation and what you would like to achieve.

We’ll get back to you within one working day.