Compliance, Standards and Contracts
The 8 Principles of Data Protection: Why There Are Now 7
If you have been told your business must follow the 8 principles of data protection, you have been given advice that expired in 2018. The eight principles came from the Data Protection Act 1998, which was repealed and replaced on 25 May 2018. What applies to your business now is a list of seven principles, set out in Article 5 of the UK GDPR.
This is not a pedantic distinction. The list changed for a reason, one principle was added that carries most of the enforcement risk, and one of the old eight was moved somewhere that made it stricter rather than softer. Here is the current position, including the changes that came into force in February 2026 and that most guidance on this topic has not caught up with.
Why people still search for 8 principles
The eight principles ran UK data protection for twenty years, so they are baked into old staff training, old policies and a lot of pages that were written once and never revisited. Under Schedule 1 of the Data Protection Act 1998, personal data had to be:
- Processed fairly and lawfully
- Obtained only for specified and lawful purposes
- Adequate, relevant and not excessive
- Accurate and kept up to date
- Not kept longer than necessary
- Processed in accordance with the rights of individuals
- Protected against unauthorised access, loss or damage
- Not transferred outside the EEA without adequate protection
If your data protection policy still lists those eight, it is citing repealed legislation. That is worth fixing, because it is the sort of detail that reads badly to a client, an insurer or a regulator.
The 7 principles that actually apply now
Article 5 of the UK GDPR sets out the current seven. The substance overlaps heavily with the old eight, so nobody needs to relearn the job from scratch:
- Lawfulness, fairness and transparency. You need a valid lawful basis, you must not mislead people about what you are doing, and you must tell them.
- Purpose limitation. Collect data for specified, explicit purposes, and do not later use it for something incompatible.
- Data minimisation. Collect what you need for the purpose and no more.
- Accuracy. Keep it correct and up to date, and correct it when it is wrong.
- Storage limitation. Do not keep personal data in identifiable form for longer than you need it.
- Integrity and confidentiality. Keep it secure against unauthorised processing, loss and damage. This is the security principle.
- Accountability. You must not only comply, you must be able to demonstrate that you comply.
The two changes that matter most
Accountability is the genuinely new one. There was no accountability principle in the 1998 Act. It is the reason documentation exists as a legal obligation rather than a nice-to-have: records of processing, policies, training logs, data protection impact assessments and the evidence trail behind them. In practice, accountability is what turns a good intention into a defensible position. A business doing sensible things with no records fails this principle, and it is a common way to be caught out after a breach, because the question is rarely only “what happened” but “show us what you had in place beforehand”.
International transfers were promoted, not dropped. The old eighth principle covered transfers outside the EEA. It is not in Article 5, which leads people to assume the rule vanished. It did not. Restrictions on international transfers moved into their own chapter of the UK GDPR with its own detailed regime, which is more demanding than the single line it replaced, not less.
The security principle also changed character. Under the 1998 Act the regulator could pursue only the controller. Under the current regime both controllers and processors can be fined, so your suppliers carry their own exposure. Our guide to UK GDPR and the Data Protection Act 2018 covers how those two pieces of law fit together.
What the Data (Use and Access) Act 2025 changed
This is the part almost no guidance on the principles reflects. The main data protection provisions of the Data (Use and Access) Act 2025 came into force on 5 February 2026, and they touch Article 5 directly. The number of principles did not change: there are still seven.
Two changes are worth knowing:
- Purpose limitation got clearer. Section 71 amends Articles 5 and 6 to spell out when personal data can lawfully be reused for a new purpose, an area the government itself accepted was difficult for controllers and individuals to navigate. Reuse still needs an Article 6 lawful ground.
- Recognised legitimate interests arrived. Section 70 creates a new lawful ground under Article 6 covering things like crime prevention, safeguarding vulnerable people, emergency response and national security. For those specific purposes, the balancing test that weighs your interests against the individual’s is no longer required.
One trap worth flagging. The Act also codified examples of ordinary legitimate interests, including direct marketing, sharing data within a group of companies for internal administration, and processing needed for network security. Those are not recognised legitimate interests. They still need a full legitimate interests assessment and a balancing test. The two lists are easy to confuse, and confusing them means skipping an assessment you were required to do.
The GOV.UK factsheet sets out the changes in full.
What to do about it
If you are working from the eight principles, the fix is small. Update your policy to cite Article 5 of the UK GDPR and its seven principles, keep your transfer controls in place because that rule moved rather than disappeared, and put real evidence behind the accountability principle. If you want to pressure-test where you stand, our GDPR audit guide walks through doing it yourself, and who enforces GDPR in the UK explains who is asking the questions.
Frequently asked questions
What are the 8 principles of data protection? They were the principles of the Data Protection Act 1998: fair and lawful processing, specified purposes, adequate and not excessive, accurate, not kept too long, processed in line with individuals’ rights, kept secure, and not transferred outside the EEA without adequate protection. That Act was repealed on 25 May 2018.
Are there 7 or 8 data protection principles in the UK? Seven. Article 5 of the UK GDPR sets out lawfulness fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. The eight principles belonged to the old 1998 Act.
Which principle was added under GDPR? Accountability. It requires you to demonstrate compliance, not merely achieve it, which is why records of processing, policies and impact assessments are legal obligations rather than best practice.
What happened to the eighth principle on international transfers? It was not abolished. Restrictions on transferring personal data outside the UK moved into a dedicated chapter of the UK GDPR with a more detailed regime, so the rule is stricter than the old single principle rather than gone.
Did the Data (Use and Access) Act 2025 change the principles? It did not change how many there are. It amended Article 5 to clarify when data can be reused for a new purpose, and added a new “recognised legitimate interests” lawful ground under Article 6. The main provisions came into force on 5 February 2026.
Is my policy wrong if it still lists 8 principles? It is out of date, and it cites legislation that no longer exists. The underlying obligations overlap a great deal, so the practical risk is usually low, but it signals to clients, insurers and the ICO that your data protection documentation has not been reviewed since 2018.