This is the second of three principles about data standards, along with data minimisation and storage limitation.

Article 5(1)(d) of the Applied GDPR requires that personal data is:

"accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay".

Controllers should note the specific reference to the rights of erasure and rectification of personal data. In addition, individuals have a right to restrict the processing of inaccurate data and controllers must be able to comply with those rights when exercised.

In order to comply with this principle:


In practice, this means that you must:

When is personal data ‘accurate’ or ‘inaccurate’? 

The GDPR does not define the word ‘accurate’. However, the Data Protection Act 2018 does say that ‘inaccurate’ means “incorrect or misleading as to any matter of fact”. It will usually be obvious whether personal data is accurate.

You must always be clear about what you intend the record of the personal data to show. What you use it for may affect whether it is accurate or not. For example, just because personal data has changed doesn’t mean that a historical record is inaccurate – but you must be clear that it is a historical record.