diff --git a/pkg/controller/onepassworditem/onepassworditem_test.go b/pkg/controller/onepassworditem/onepassworditem_test.go
index 858fe74..228cf7f 100644
--- a/pkg/controller/onepassworditem/onepassworditem_test.go
+++ b/pkg/controller/onepassworditem/onepassworditem_test.go
@@ -232,7 +232,7 @@ var tests = []testReconcileItem{
 		expectedError:  nil,
 		expectedResultSecret: &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      "my-sECReT-it3m",
+				Name:      "my-secret-it3m",
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
@@ -264,7 +264,7 @@ var tests = []testReconcileItem{
 		expectedError:  nil,
 		expectedResultSecret: &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      "my-sECReT-it3m",
+				Name:      "my-secret-it3m",
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
@@ -287,7 +287,7 @@ var tests = []testReconcileItem{
 		},
 	},
 	{
-		testName: "Secret from 1Password item with `_` and `.`",
+		testName: "Secret from 1Password item with `-`, `_` and `.`",
 		customResource: &onepasswordv1.OnePasswordItem{
 			TypeMeta: metav1.TypeMeta{
 				Kind:       onePasswordItemKind,
@@ -305,18 +305,18 @@ var tests = []testReconcileItem{
 		expectedError:  nil,
 		expectedResultSecret: &corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      "my_sECReT.it3m",
+				Name:      "my-secret.it3m",
 				Namespace: namespace,
 				Annotations: map[string]string{
 					op.VersionAnnotation: fmt.Sprint(version),
 				},
 			},
 			Data: map[string][]byte{
-				"password":       []byte(password),
-				"username":       []byte(username),
-				"first-host":     []byte(firstHost),
-				"AWS-Access-Key": []byte(awsKey),
-				"ice_cream.type": []byte(iceCream),
+				"password":          []byte(password),
+				"username":          []byte(username),
+				"first-host":        []byte(firstHost),
+				"AWS-Access-Key":    []byte(awsKey),
+				"-_ice_cream.type.": []byte(iceCream),
 			},
 		},
 		opItem: map[string]string{
diff --git a/pkg/kubernetessecrets/kubernetes_secrets_builder.go b/pkg/kubernetessecrets/kubernetes_secrets_builder.go
index 49a7522..571e25b 100644
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder.go
@@ -80,16 +80,17 @@ func BuildKubernetesSecretData(fields []*onepassword.ItemField) map[string][]byt
 	secretData := map[string][]byte{}
 	for i := 0; i < len(fields); i++ {
 		if fields[i].Value != "" {
-			key := formatSecretName(fields[i].Label)
+			key := formatSecretDataName(fields[i].Label)
 			secretData[key] = []byte(fields[i].Value)
 		}
 	}
 	return secretData
 }
 
-// formatSecretName rewrites a value to be a valid Secret name or Secret data key.
+// formatSecretName rewrites a value to be a valid Secret name.
 //
-// The Secret meta.name and data keys must be valid DNS subdomain names (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+// The Secret meta.name and data keys must be valid DNS subdomain names
+// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
 func formatSecretName(value string) string {
 	if errs := kubeValidate.IsDNS1123Subdomain(value); len(errs) == 0 {
 		return value
@@ -97,15 +98,36 @@ func formatSecretName(value string) string {
 	return createValidSecretName(value)
 }
 
-var invalidDNS1123Chars = regexp.MustCompile("[^a-zA-Z0-9-_.]+")
+// formatSecretDataName rewrites a value to be a valid Secret data key.
+//
+// The Secret data keys must consist of alphanumeric numbers, `-`, `_` or `.`
+// (https://kubernetes.io/docs/concepts/configuration/secret/#overview-of-secrets)
+func formatSecretDataName(value string) string {
+	if errs := kubeValidate.IsConfigMapKey(value); len(errs) == 0 {
+		return value
+	}
+	return createValidSecretDataName(value)
+}
+
+var invalidDNS1123Chars = regexp.MustCompile("[^a-z0-9-.]+")
 
 func createValidSecretName(value string) string {
-	result := invalidDNS1123Chars.ReplaceAllString(value, "-")
+	result := strings.ToLower(value)
+	result = invalidDNS1123Chars.ReplaceAllString(result, "-")
 
 	if len(result) > kubeValidate.DNS1123SubdomainMaxLength {
 		result = result[0:kubeValidate.DNS1123SubdomainMaxLength]
 	}
 
 	// first and last character MUST be alphanumeric
-	return strings.Trim(result, "-._")
+	return strings.Trim(result, "-.")
+}
+
+var invalidDataChars = regexp.MustCompile("[^a-zA-Z0-9-._]+")
+var invalidStartEndChars = regexp.MustCompile("(^[^a-zA-Z0-9-._]+|[^a-zA-Z0-9-._]+$)")
+
+func createValidSecretDataName(value string) string {
+	result := invalidStartEndChars.ReplaceAllString(value, "")
+	result = invalidDataChars.ReplaceAllString(result, "-")
+	return result
 }
diff --git a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
index 3ce27ee..ccd86d3 100644
--- a/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
+++ b/pkg/kubernetessecrets/kubernetes_secrets_builder_test.go
@@ -3,13 +3,13 @@ package kubernetessecrets
 import (
 	"context"
 	"fmt"
-	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
 	"strings"
 	"testing"
 
 	"github.com/1Password/connect-sdk-go/onepassword"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	kubeValidate "k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/client-go/kubernetes"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
@@ -102,7 +102,7 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 	item.Fields = generateFields(5)
 
 	kubeSecret := BuildKubernetesSecretFromOnePasswordItem(name, namespace, annotations, item)
-	if kubeSecret.Name != name {
+	if kubeSecret.Name != strings.ToLower(name) {
 		t.Errorf("Expected name value: %v but got: %v", name, kubeSecret.Name)
 	}
 	if kubeSecret.Namespace != namespace {
@@ -116,7 +116,7 @@ func TestBuildKubernetesSecretFromOnePasswordItem(t *testing.T) {
 
 func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
 	name := "inV@l1d k8s secret%name"
-	expectedName := "inV-l1d-k8s-secret-name"
+	expectedName := "inv-l1d-k8s-secret-name"
 	namespace := "someNamespace"
 	annotations := map[string]string{
 		"annotationKey": "annotationValue",
@@ -129,7 +129,7 @@ func TestBuildKubernetesSecretFixesInvalidLabels(t *testing.T) {
 			Value: "value1",
 		},
 		{
-			Label: strings.Repeat("x", kubeValidate.DNS1123SubdomainMaxLength+1),
+			Label: strings.Repeat("x", kubeValidate.LabelValueMaxLength+1),
 			Value: "name exceeds max length",
 		},
 	}
@@ -205,7 +205,7 @@ func ParseVaultIdAndItemIdFromPath(path string) (string, string, error) {
 }
 
 func validLabel(v string) bool {
-	if err := kubeValidate.IsDNS1123Subdomain(v); len(err) > 0 {
+	if err := kubeValidate.IsConfigMapKey(v); len(err) > 0 {
 		return false
 	}
 	return true