OneTrust GDPR Deep Dive Series

Chapter 2: Principles

Chapter 2 outlines basic principles and provides information to help companies prepare to meet new data protection requirements.

The overall goal of the GDPR is to increase harmonisation among the EU member states, and, under the new regulations, the EU will see a lot more consistency with compliance. However, keep in mind that each country’s requirements could still vary, even after GDPR is enacted (e.g., in the areas of national security, employment law, and freedom of speech).

Above all, the key takeaways from Chapter 2 pertain to the integrity and confidentiality that a company must demonstrate when processing and protecting personal data.

Leveraging appropriate technical and organizational security measures when processing personal data is non-negotiable, as is protection against unauthorized or unlawful processing, and against accidental loss, destruction, or damage.

While the processing of special categories was already prohibited by EU law, the GDPR now includes additional prohibition of processing biometric data that would uniquely identify an individual.

The GDPR provides greater consistency with the application of binding corporate rules (BCRs), as the current requirements for BCRs will be explicitly acknowledged as valid in all member states.

Lastly, Chapter 2 discusses “lead DPAs” for each member state, condoning a “one-stop shop” approach where an organization would only interact with a lead DPA on regulatory issues, thus avoiding unnecessary interaction with multiple DPAs across the EU.

Chapter 2 Articles and Descriptions

Article 5: Principles relating to personal data processing
Article 6: Lawfulness of processing
Article 7: Conditions for consent
Article 8: Processing of personal data of a child
Article 9: Processing of special categories of personal data
Article 9a: Processing of data relating to criminal convictions and offenses
Article 10: Processing not allowing identification


GDPR will come into effect on May 25, 2018, and OneTrust believes that every global organization should start considering how to best implement efficient and effective data-handling practices that are replicable and consistent. The GDPR Deep Dive Series delves into each chapter of the GDPR to summarize key takeaways of the new governance in an easy-to-digest format. It is intended to help privacy executives with implementation and operationalization of GDPR regulations, and will be published bi-weekly on our blog.