What is the GDPR Data Minimization Principle?
Defined in Article 5(1)(c) of the General Data Protection Regulation (GDPR), data minimization (expressed as ‘data minimisation’ within official EU documentation) is the third principle related to the processing of personal data.
Data Minimization Summary
- The organizational practice of minimizing the overall amount of personal data collected
- Only collecting personal data that is adequate, relevant, and limited to what is necessary for specified purposes
- Deletion or masking of personal data, either no longer needed or unnecessary to perform specified purposes
- Must be able to demonstrate appropriate data minimization practices
- Periodic check-ups should be made to ensure the adequacy and relevance of data collected
What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?
The GDPR data minimization is nearly identical to the third principle of the Data Protection Act of 1998. A minor verbiage difference between the two, 1998 Data Protection Act refers to the third principle as ‘adequacy,’ rather than ‘data minimisation’ (data minimization).
The only main differences between the GDPR and the 1998 Data Protection Act is the GDPR addition of requiring organizations to demonstrate appropriate data minimization practices if requested. This addition comes as part of new accountability obligations to the data controller, having links to new data subject rights of erasure and rectification.
Business Considerations for Organizations to Understand
What is considered adequate, relevant and limited?
Although not explicitly defined within GDPR, organizations can use the following general definitions when determining the adequacy, relevance and limitation for personal data collection.
Adequate: only data that is sufficient to adequately fulfill specified purposes stated within the ‘purpose limitation’ principle
Relevant: only data that is reasonably related to the purposes stated within the ‘purpose limitation’ principle
Limited: only data that is necessary to perform stated purposes, ensuring the organization does not collect data that is not relevant to those purposes
How to properly address the purpose limitation principle?
- define what personal data the organization needs to investigate
- locate all the places your organization is storing the data
- create an inventory of who is using or has access to the data
- understand the current purpose(s) employees are using the data
- determine whether the present purpose(s) comply with the GDPR
- identify any purposes not currently utilized which may be needed
- restrict access to users with invalid purposes for using the data
- apply safeguards, including encryption or masking, for data that the organization may use for further processing or which the organization can use without the use of sensitive elements
- notate and communicate all valid purposes for internal and GDPR documentation