Art.5.1d GDPR

GDPR Art.5.1d: Accuracy

What This Control Requires

Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy').

In Plain Language

Wrong data leads to wrong decisions - and when those decisions affect real people, the consequences range from incorrect billing to wrongful denial of credit or employment. The GDPR puts the burden squarely on you to keep personal data correct, complete, and current. The "where necessary" qualifier matters here. Not all data needs constant updating. A historical record of a customer's address at the time of a transaction can stay as-is. But an employee's emergency contact details? Those need regular verification. You have to assess, for each processing activity, whether data currency actually matters to the purpose. When you spot inaccurate data, fix or delete it promptly. Give data subjects a straightforward way to request corrections (that is their Article 16 right), and build internal quality checks that catch errors proactively. If you have shared bad data with third parties, let them know about the correction too.

How to Implement

Put data quality controls at the front door. Use input validation, standardised formats, dropdowns where appropriate, and real-time verification (address lookup, email validation, phone number checks). Use date pickers instead of free-text date fields. The less room for human error at collection, the fewer problems downstream. Set up ongoing quality management. Run automated checks that flag duplicates, inconsistencies, and potential inaccuracies. Schedule periodic reviews of datasets that change over time - contact details, employment status, financial information - especially those used for decision-making. Make it easy for people to fix their own data. A self-service portal where individuals can update their information is ideal. At minimum, provide a clear contact point and a documented process for handling rectification requests within the one-month Article 12(3) deadline. Make sure corrections propagate to every system where the data lives. Track data quality with metrics. Define accuracy thresholds for different data categories, monitor against them, and report results to your DPO regularly. If accuracy is dropping, you want to know before a regulator does. Pay extra attention to data feeding automated decisions or profiling. Inaccurate data in an algorithm can cause harm at scale. Audit these datasets regularly and put human review processes in place to catch systemic errors.

Evidence Your Auditor Will Request

Data quality procedures and standards documentation
Evidence of input validation controls on data collection forms and systems
Records of data quality audits and remediation activities
Self-service portal or documented process for data subjects to correct their data
Metrics and reports showing data accuracy levels over time

Common Mistakes

No systematic process for verifying data accuracy at the point of collection
Outdated data retained indefinitely without any mechanism for periodic review or updating
Data corrections applied in one system but not propagated to other systems holding the same data
No accessible mechanism for data subjects to request correction of their personal data
Automated decisions made on the basis of inaccurate personal data without adequate quality controls

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.33	Related

Frequently Asked Questions

Do we need to proactively verify all personal data we hold?

You need to take "every reasonable step," which is proportional to the stakes. Data used for high-impact decisions - credit scoring, employment screening - demands rigorous verification. Data used for a general mailing list? Less so. Focus your proactive efforts where inaccuracy could actually cause harm to individuals.

What should we do if a data subject disputes the accuracy of their data?

Investigate the claim. If they are right, correct the data without delay. While you are investigating, you can restrict processing of the disputed data under Article 18. If you conclude the data is actually accurate, document your reasoning clearly and let the individual know they can complain to a supervisory authority if they disagree.

How do we handle accuracy for data obtained from third parties?

You are still on the hook for accuracy, regardless of where the data came from. Build verification checks into your intake process for third-party data, include accuracy warranties in your data sharing agreements, and have a process for flagging errors back to the source. "We got it wrong because our supplier gave us bad data" is not a defence that holds up with regulators.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment