The GDPR requires that personal data is processed in line with the 6 principles, namely that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes. Further processing for archiving, scientific or historical research or statistical purposes is permissible (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed (‘data minimisation’);
(d) accurate and where necessary kept up to date (‘accuracy’);
(e) not be kept for longer than is necessary for that purpose (‘storage limitation’);
(f) processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
In addition, the accountability principle as set out in Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Source: GDPR, Article 5.