OECD Guidelines: 8 Privacy Principles to Live By

Published: September 21, 2018 Updated: October 24, 2018 Author , , Category Data Privacy & Security, GDPR

There is no one-size-fits-all solution when it comes to reducing data-privacy risks.

Protection policies may depend on numerous considerations, such as different categories of data, varying legislation, or purpose of data processing.

However, there are frameworks that may be used as tools to help you structure discussions about privacy requirements in your organization.

A great example of such rules comes in the form of principles developed by the Organization for Economic Cooperation and Development (OECD).

A Practical Guide to Acquiring Consent in the Age of GDPR

Read our exhaustive guide on collecting, managing, and storing user consents, plus learn the ways GDPR Consent Manager can help you remain privacy compliant

Download FREE Guide

Guidelines on the Protection of Privacy and Transborder Flows of Personal Data by the OECD became an internationally accepted set of rules for processing personal information.

Reflected in existing and emerging data-protection laws, they can serve as an excellent basis for any analytics endeavor aiming to reduce data-privacy risks. It is also a sound direction for governance of personal data collected and processed by organizations over the course of their business.

The privacy principles defined by the OECD consist of the following:

Collection Limitation:
Data collection should occur only with the knowledge and consent of a concerned individual (data subject).
Data Quality:
You should only collect information which is relevant and accurate for a particular aim.
Individual Participation:
The concerned individual should know if their information has been collected and must be able to access it if such data exists.
Purpose Specification:
The intended use for a particular piece of information must be known at the time of collection.
Use Limitation:
Collected data must not be used for purposes other than the ones specified at the time of collection.
Security Safeguards:
Reasonable measures must be taken to protect data from unauthorized use, destruction, modification, or disclosure of personal information.
Individuals should be able to avail themselves of data collection and be able to contact the entity collecting this information.
Data collector should be held accountable for failing to abide by any of the above rules. There needs to be a dedicated person.

OECD guidelines vs GDPR

The OECD principles are closely tied with the European Union legislation and cultural expectations.

That’s why it comes as no surprise that GDPR’s spirit and much of its detail reflect the OECD privacy framework. All that makes these outlined principles are a great core for your web-analytics privacy practices.

However, keep in mind that the provisions of GDPR are much broader and simply following the good practices introduced by OECD won’t be enough to comply with them.

We write about it in numerous blog post on our website – if you want to learn more about the topic, be sure to visit GDPR section on our blog.


Aurélie Pols, Contributor

A former Data Governance and Privacy Engineer with Salesforce (previously Krux Digital Inc.), a member of the European Data Protection Supervisor’s Ethics Advisory Group, a professor at IE Business School in Madrid, and an advisor to the International Association of Privacy Professionals (IAPP). A founder of a Privacy and Data Protection Consultancy, Mind Your Privacy.

See more posts of this author


Ewa Bałazińska, Content Marketer

Content marketing & PR manager @ Piwik PRO. An avid enthusiast of all things digital, MA in Digital Media from Goldsmiths, London.

See more posts of this author


Karolina Lubowicka, Content Marketer

Content Marketer and Social Media Specialist at Piwik PRO. An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts of this author
New Call-to-action