Data minimisation is a key part of information security and the GDPR (General Data Protection Regulation) in particular.
Its principles are at the heart of effective data protection practices, and are intended to prevent privacy breaches and minimise the damage when security incidents occur.
What is data minimisation?
Data minimisation requires organisations to process personal data only if it serves a specific purpose, and to retain it for only as long as it’s needed to meet that purpose.
Article 5(1) of the GDPR provides further guidance, explaining that organisations should consider three factors whenever they process personal information:
- Adequacy: is the personal data that’s been processed sufficient to fulfil your stated purpose?
- Relevance: does the information have a clear link to that purpose?
- Necessity: do you have more information than you need to fulfil that purpose?
Meeting the requirements
The GDPR doesn’t provide specific guidance on the sorts of practices that meet the threshold of adequacy, relevance and necessity. This is because the answer will depend on the specific circumstances for processing and using the personal data.
As such, organisations must justify their processing practices and explain why they meet the guidelines for data minimisation.
The first step to solving that issue is to understand what you are trying to achieve with this data processing activity. In other words: what is all this information going to be used for? You should be as specific as possible when answering this question, identifying clear objectives.
You can use your documented lawful basis for processing as a guideline here. For example, if you’re processing the information to meet your legal obligations or contractual requirements, you can identify specific activities within those terms.
Likewise, if you’re processing information to protect an individuals’ vital interests, you can ask yourself how each piece of data supports that activity.
You must be careful when completing this process. It might not seem like a crucial task, at least compared to measures specifically designed to prevent data breaches, but data minimisation is a core principle of the GDPR.
The damage caused by data breaches is often exacerbated by organisations processing unnecessary amounts of personal information, thus increasing the volume of data compromised in security incidents.
By keeping your data processing activities to a minimum, you reduce the threat of data breaches and privacy violations. You also reduce the amount of work you need to do to protect and maintain your records.
This is particularly true when it comes to special category data or criminal offence data, where extra precautions are in place.
If you are at all unsure whether your data processing practices meet the thresholds, you should err on the side of caution or seek expert guidance.
You should also review your processing practices periodically to ensure that the personal data you hold is still relevant and adequate.
What to look out for
The ICO (Information Commissioner’s Office) provides further guidance on the GDPR’s data minimisation requirements, and it provides examples of situations where compliance could be jeopardised.
In one scenario, the ICO describes a debt collection agency that’s trying to locate a particular debtor. After processing information on several people with a similar name, it finds the right person.
At this point, the agency must delete the relevant records for the people whose information it collected during its search. However, it’s a good idea to keep a basic record of the people it removed from its search, provided it has no intention of contacting them again.
The ICO highlights that an organisation cannot keep records on the off chance that they will be useful in the future. However, if it can document a reason why that information might be important at a later data, it’s permitted to retain it.
In another example, the ICO describes a group of individuals who set up a club. At first, it has only a handful of members who all know each other, and the activities are set up using the members’ names and email addresses.
Over time, the club becomes more popular and the administrators realise that they need additional information about its members in order to keep track of their membership status and subscription payments.
The ICO notes that, although the group hadn’t initially intended to process these types of data, it’s entitled to change the terms of processing as requirements change.
In fact, organisations that fail to change the terms of processing might actually be breaching their data protection obligations. If they don’t have enough data to perform necessary tasks – such as tracking subscriptions – their records are inadequate for the organisation’s purpose.
Personal data might also be considered inadequate if the organisation makes decisions about someone based on an incomplete understanding of the facts. Incomplete or inaccurate records could lead to information being misinterpreted and false judgements being drawn.
Organisations should prevent this by reviewing their records regularly to ensure that data is accurate and up to date.
Meeting your data minimisation requirements
Data minimisation is a crucial practice for all organisations, but as with many aspects of the GDPR, it’s a particular challenge for marketing departments.
It’s why IT Governance created GDPR and PECR – A guide for marketers to help explain the difficulties these teams face.
This free green paper explains what you need to do to ensure your marketing activities meet your regulatory requirements, and how you can save time by addressing all privacy legislation together.
It covers the key requirements of data protection laws in relation to marketing.
You’ll find a range of tips for meeting your GDPR and PECR compliance requirements, including the rules surrounding consent.
Avoid the risk of non-compliance. Download your free guide today.