The GDPR principles are the core “constitutional rules” for how personal data must be handled. They are meant to stop organisations drifting into “collect everything, keep forever, do whatever,” by forcing purpose, restraint, and responsibility into the design of systems and institutions - legislation.gov.uk 
- ico.org.uk
The GDPR is built on seven core principles that govern how personal data must be handled: 1. Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner so people understand what is happening to their data. 1. Purpose limitation: Personal data must be collected for specified, explicit, and legitimate purposes and not further processed in ways that are incompatible with those purposes. 1. Data minimisation: Personal data must be adequate, relevant, and limited to what is necessary for the stated purpose. 1. Accuracy: Personal data must be accurate and, where necessary, kept up to date, with reasonable steps taken to correct or erase inaccurate data. 1. Storage limitation: Personal data must not be kept in an identifiable form for longer than is necessary for the purposes for which it is processed. 1. Integrity and confidentiality (security): Personal data must be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, loss, destruction, or damage. 1. Accountability: The data controller is responsible for complying with the principles and must be able to demonstrate that compliance.
# See - GDPR Rights - Criticisms of the GDPR