What is the GDPR Data Minimization Principle?

Defined in Article 5(1)(c) of the General Data Protection Regulation (GDPR), data minimization (expressed as ‘data minimisation’ within official EU documentation) is the third principle related to the processing of personal data.

Data Minimization Summary

  • The organizational practice of minimizing the overall amount of personal data collected
  • Only collecting personal data that is adequate, relevant, and limited to what is necessary for specified purposes
  • Deletion or masking of personal data, either no longer needed or unnecessary to perform specified purposes
  • Must be able to demonstrate appropriate data minimization practices
  • Periodic check-ups should be made to ensure the adequacy and relevance of data collected

What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?

The GDPR data minimization is nearly identical to the third principle of the Data Protection Act of 1998. A minor verbiage difference between the two, 1998 Data Protection Act refers to the third principle as ‘adequacy,’ rather than ‘data minimisation’ (data minimization).

The only main differences between the GDPR and the 1998 Data Protection Act is the GDPR addition of requiring organizations to demonstrate appropriate data minimization practices if requested. This addition comes as part of new accountability obligations to the data controller, having links to new data subject rights of erasure and rectification.

Business Considerations for Organizations to Understand

What is considered adequate, relevant and limited?

Although not explicitly defined within GDPR, organizations can use the following general definitions when determining the adequacy, relevance and limitation for personal data collection.

Adequate: only data that is sufficient to adequately fulfill specified purposes stated within the ‘purpose limitation’ principle

Relevant: only data that is reasonably related to the purposes stated within the ‘purpose limitation’ principle

Limited: only data that is necessary to perform stated purposes, ensuring the organization does not collect data that is not relevant to those purposes

How to properly address the purpose limitation principle?

Data Discovery

  • define what personal data the organization needs to investigate
  • locate all the places your organization is storing the data
  • create an inventory of who is using or has access to the data

Evaluation

  • understand the current purpose(s) employees are using the data
  • determine whether the present purpose(s) comply with the GDPR
  • identify any purposes not currently utilized which may be needed

Preparation

  • restrict access to users with invalid purposes for using the data
  • apply safeguards, including encryption or masking, for data that the organization may use for further processing or which the organization can use without the use of sensitive elements
  • notate and communicate all valid purposes for internal and GDPR documentation

 

COMPLIMENTARY FORRESTER REPORT

HOW DIRTY IS YOUR DATA?