The General Data Protection Regulation was been discussed here before, but keep in mind that Chapter II of the GDPR specifies 6 key principles for processing personal data and 7 general principles overall.
1. ARTICLE 5 - Processing of Personal Data
1. Must be lawful and transparent.
2. The processing must be limited to a specified purpose.
3. Only the minimum data needed should be processed
4. Inaccurate data must be immediately erased or corrected.
5. Personal data must be stored in a manner permitting personal identification for no longer than is necessary.
6. Data Security must be maintained.
THINK: MC PSST - MINIMIZE; CORRECT; PURPOSE; STORE; SECURITY; TRANSPARENT
2. ARTICLE 6 - Lawfulness of Processing
Data can only be processed if there is consent; a contractual obligation; a legal obligation; a need to protect a vital interest of a person; a public interest; or legitimate interests of a third party that don't override the rights of the data subject.
3. ARTICLE 7 - Conditions for Consent
Specific consent must be given for specific matters and consent can be withdrawn at any time.
4. ARTICLE 8 - Child's Consent
Parental consent is needed for the use of data pertaining to children younger than 16 years old.
5. ARTICLE 9 - Special Categories of Personal Data
Data cannot be processed to show a person's racial or ethnic origin, political opinions, sexual orientation, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to identify a person is prohibited without consent or for another legitimate purpose.
6. ARTICLE 10 - Criminal Convictions
Only official authorities can keep a comprehensive register of criminal activity.
7. ARTICLE 11 - Processing That Does Not Require Identification
If the purpose for which data is processed does not require identification of a data subject, the controller does not have to process additional information to identify the data subject for the purpose of complying with the GDPR.
This is a silly anagram, but think: LID CCCC