What is the GDPR Integrity and Confidentiality Principle?

Defined in Article 5(1)(f) of the General Data Protection Regulation (GDPR), integrity and confidentiality is the sixth principle related to the processing of personal data.

Integrity and Confidentiality Summary

  • Organizations (data controllers) are responsible for the security of personal data they collect and store
  • Either technology or organizational measures should be utilized to ensure the security of personal data
  • Security measures need to protect against:
    • Unauthorized or unlawful processing
    • Accidental loss
    • Destruction or damage

What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?

The GDPR integrity and confidentiality principles are mostly unchanged compared to the 1998 Data Protection Act, other than placement related to other legal principles. Article 17(1) of the 1998 Act describes responsibilities of data security. The GDPR moves this obligation into the Data Protection Principles, reinforcing the idea of data security as a fundamental obligation for data controllers.

Business Considerations for Organizations to Understand

What measures should you take to comply?

The first and essential step is to run an information risk assessment using data discovery tools to interrogate personal data across all data repositories within an organization.

Data Discovery

  • define what personal data the organization needs to investigate
  • locate all the places your organization is storing the data
  • create an inventory of who is using or has access to the data

After data discovery is complete, the organization should carefully evaluate results to address business vulnerabilities to sensitive personal data.


  • enforce user access controls based upon data discovery results
  • either apply encryption or data masking to sensitive personal data

After remediating existing personal data, the organization should apply continuous monitoring tools to ensure that the security measures the organization applies to the data continue to remain intact.

Continuous Monitoring

  • apply monitoring tools to ensure the organization is protecting new and existing data
  • enable breach detection tools to alert suspicious activity

What organizational measures should you adopt?

Organizations should start with an information risk assessment, using data discovery tools to identify and remediate personal data vulnerabilities. Assign a point person within the organization (a DPO, for example) to manage day-to-day information security. Ensure the assigned team members have the appropriate resources and authority to enforce data security measures. Lastly, work toward adopting an overall culture of security awareness within the organization.

What factors should you consider when determining the level of data security needed?

The type of risks each data has associated with it must comply with the kind of security measures which should be dealing with it.

You should also take account of factors such as:

  • the nature and extent of your organization’s premises and computer systems
  • the number of staff you have and the extent of access provided them to personal data
  • any personal data held or used by a data processor acting on your behalf