Core Principles of GDPR

3 min read Data Protection & Compliance

Core Principles of GDPR

GDPR establishes seven key principles that guide all data processing activities. Lawfulness, fairness, and transparency require that data collection have a legal basis and users understand what data is collected and why. Purpose limitation means data can only be used for the specific purposes disclosed to users. Data minimization requires collecting only necessary data. Accuracy mandates keeping data current and correct. Storage limitation restricts how long data is retained. Integrity and confidentiality demand appropriate security measures. Accountability requires organizations to demonstrate compliance with all principles.

These principles translate into specific technical requirements. Lawfulness often means implementing consent mechanisms that are freely given, specific, informed, and unambiguous. Transparency requires clear privacy notices and data processing explanations. Purpose limitation affects database design and API access controls. Data minimization influences form design and data collection strategies.

// Example: GDPR-compliant consent implementation
class GDPRConsent {
  constructor() {
    this.consentData = {
      analytics: false,
      marketing: false,
      functional: true, // Can default necessary cookies to true
      timestamp: null,
      ipAddress: null,
      userAgent: null
    };
  }

  // Check if user has given consent
  hasConsent(category) {
    const stored = this.getStoredConsent();
    return stored && stored[category] === true;
  }

  // Get stored consent from localStorage
  getStoredConsent() {
    const consent = localStorage.getItem('gdpr_consent');
    return consent ? JSON.parse(consent) : null;
  }

  // Save consent with metadata
  saveConsent(choices) {
    const consentRecord = {
      ...choices,
      timestamp: new Date().toISOString(),
      ipAddress: this.getUserIP(), // Would need server-side support
      userAgent: navigator.userAgent,
      version: '1.0' // Track consent version for updates
    };
    
    localStorage.setItem('gdpr_consent', JSON.stringify(consentRecord));
    
    // Also send to server for record-keeping
    this.sendConsentToServer(consentRecord);
  }

  // Withdraw consent for specific categories
  withdrawConsent(categories) {
    const current = this.getStoredConsent();
    if (current) {
      categories.forEach(cat => {
        current[cat] = false;
      });
      current.withdrawalTimestamp = new Date().toISOString();
      this.saveConsent(current);
      
      // Trigger cleanup of any data collected under withdrawn consent
      this.triggerDataCleanup(categories);
    }
  }

  // Send consent record to server for compliance documentation
  async sendConsentToServer(consentData) {
    try {
      await fetch('/api/privacy/consent', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify(consentData)
      });
    } catch (error) {
      console.error('Failed to record consent:', error);
      // Queue for retry to ensure compliance records are maintained
      this.queueConsentSync(consentData);
    }
  }
}

GDPR grants users specific rights that applications must support technically. The right to access means users can request all data an organization holds about them. The right to rectification allows users to correct inaccurate data. The right to erasure (right to be forgotten) enables users to request data deletion. The right to data portability requires providing user data in machine-readable formats. The right to object allows users to opt-out of certain processing activities.