1. Lawfulness, fairness and transparency – data processing must be lawful, fair and transparent to the data subject. Organizations must have a lawful basis for processing personal data and inform data subjects what data is collected and how it’s used.
2. Purpose limitation – personal data can only be collected for specified, explicit and legitimate purposes. Data can’t be processed in a way that is incompatible with those purposes.
3. Data minimization – organizations should only collect and process personal data that is adequate, relevant and limited to what is necessary for the purposes for which it is processed.
4. Accuracy – personal data must be kept accurate and up to date. Inaccurate data should be erased or rectified.
5. Storage limitation – data should only be kept in a form allowing identification of data subjects for no longer than necessary for the purposes which it is processed.
6. Integrity and confidentiality – data must be processed in a way that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.
7. Accountability – organizations are responsible for complying with GDPR principles and must be able to demonstrate their compliance.

The key principles focus on transparency, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability around personal data processing.