Data Protection Act 2018
Data protection by design and by default
76. (1) A controller shall, without prejudice to the generality of section 75(1), for the purposes of meeting the requirements of this Part and protecting the rights of data subjects—
(a) when determining the means of processing personal data, and
(b) when carrying out the said processing,
implement appropriate technical and organisational measures that are designed—
(i) to implement the principles of the protection of personal data contained in this Part in an effective manner, and
(ii) to integrate the necessary safeguards into the said processing.
(2) Without prejudice to the generality of section 75(1) and subsection (1), a controller shall, subject to subsection (3), when processing personal data implement appropriate technical and organisational measures to ensure that only personal data that are necessary for each specific purpose of the processing are processed.
(3) The requirement in subsection (2) applies in relation to—
(a) the amount of personal data collected for the processing concerned,
(b) the extent of the processing of the personal data concerned,
(c) the period for which the personal data concerned are stored, and
(d) the accessibility of the personal data concerned.
(4) Technical and organisational measures implemented in accordance with subsection (2) shall ensure that personal data are not made generally available unless, and only to the extent, authorised by the controller.