The General Data Protection Regulation (GDPR) was enacted to protect the privacy rights of residents of the European Union. One of the ways in which GDPR protects privacy is by enacting certain principles relating to the processing of personal data. In the data minimisation principle, GDPR specifies that personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which that personal data is processed. In this article, we will discuss the data minimisation principle, including tips on how to determine if you are processing too much data and how you can evaluate your data management practices.
What are the requirements of the data minimisation principle?
If GDPR applies to you, the data minimisation principle requires you to ensure that the personal data that you are processing is:
- Adequate, meaning that it is sufficient to properly fulfill your stated purpose;
- Relevant - has a rational link to that purpose; and
- Limited to what is necessary, meaning that you do not hold more than you need for that purpose.
According to the United Kingdom’s Information Commissioner’s Office, you should ensure that you perform the following:
- You only collect personal data that you actually need for your specified purposes;
- You have sufficient personal data to properly fulfill those purposes; and
- You periodically review the data you hold, and delete anything that you do not need.
How much data do you need?
Before you start mapping all of your data, a good question to ask yourself is for what purposes you plan on using that data. Once you compile the list of purposes, ask yourself what is the minimum amount of personal data that you need to fulfill those purposes. You should only collect and store the personal data on that list. Remember that under GDPR, you need to be able to demonstrate that you have appropriate processes in place to ensure that you only collect the data that you need so make sure that you retain all documentation of the steps that you are taking on the data minimisation process.
The following factors can indicate that you are collecting too much data:
- You collect data that includes irrelevant details;
- You collect data on people that relate to the data subject;
- You do not have a particular purpose in mind for the data and keep it “just in case you need it in the future.”
Deletion of personal data
While data minimisation starts with collecting the proper amount of data, it ends with a purging of data that is outdated, no longer serving the purposes for which it was collected and when a data subject exercises the right to erasure. The period for which you store data should be limited to a strict minimum as well. You should have a data retention schedule and policies and procedures for when and how you will delete that personal data.
Data minimisation is a crucial undertaking as it will not only help you comply with GDPR, but it will also reduce your risks in case of a data breach, make it easier to respond to data subject requests and even reduce the cost of your infrastructure.