The UK GDPR requires that personal data must be:

• Processed lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (known as data minimisation)
• Accurate and kept up to date (inaccurate personal data must be erased or rectified without delay)
• Kept in a form which permits identification of data subjects for no longer than is necessary
• Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.