GDPR Principles: Purpose Limitation

GDPR Purpose Limitation of PII
Home » Blog » GDPR Principles: Purpose Limitation
Table of Contents
    Add a header to begin generating the table of contents

    This post represents part 2 of a series of posts covering principles of the General Data Protection Regulation (GDPR). The regulation sets out 7 keys principles that set the foundation for the directives to be enforced by the legislation. Today we will be covering purpose limitation.  Below are links to the full series of posts:

    Purpose Limitation

    The purpose limitation principle aides controllers and processors in describing why personal data is being collected. Here is a quote from the law regarding purpose limitation:

    1. Personal data shall be:

    (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.1

    The concept of purpose limitation is not new; it has been around since 1998 when the previous data protection law went into effect. Controllers and processors used to define purpose limitation by registering their purposes with the ICO.  Under GDPR, controllers and processors will be responsible for documenting their purposes rather than registering for approval with a government body.  The GDPR provides specific exemptions from this principle for scientific, historical, and statistical purposes.  GDPR ensures that new purposes for processing personal data are compatible with their initial purpose. This verbiage in the law protects users from “function creep.” If the new purpose is not compatible with the original purpose, controllers and processors must ensure the new purposes is compatible with the first principle of GDPR; lawfulness, fairness, and transparency.

    Compliance Documentation

    As stated above, controllers and processors are now responsible for documenting their purposes as part of their GDPR compliance requirements.  Documentation can be thought of as internal to the organization and external to the organization.  External documentation means that purposes for collecting and processing personal data must be transparent to the end user.  What this will mean for most organizations is that the privacy policy should include purposes for collecting and processing of end user data.  Internal documentation requirements are more flexible in the way that they are created and maintained.  Be able to demonstrate you have:

    • Identified personal data collected, how it will be processed, and the purpose for doing so.
    • Have conducted purpose audits at reasonable intervals and updated documentation where necessary.
    • Documented reliance on new purposes that were compatible with the original purpose.
    • Documented reliance on the exemptions for scientific, historical, and statistical data.

    Function Creep

    Function creep is the concept of a system adding new features (functions) over time, which results in data being leveraged for purposes other than the purposes the user granted consent for originally.  Controllers and processors must use care when developing systems not to breach privacy law as new features are released.  A process checkpoint should be included in the release to review new features with a privacy lens.  Previously collected personal data that is used for a new purpose that is not compatible with the original purpose must include an update to the privacy policy and internal compliance documentation.

    Determining Compatible Purposes

    Determining compatible purpose can be a tricky subject, but documenting the use of a purpose as a compatible purpose and the reasoning behind it will surely be looked upon more favorably than undocumented use. Purposes that are pre-approved compatible purposes under GDPR include:

    • Archiving activities in the public interest
    • Scientific and historical purposes
    • Statistical purposes

    Other purposes can be considered compatible, but you must analyze the use of the data before proceeding. Consider the links to the original purpose, for instance selling patient records collected as part of healthcare to a marketing company selling vacation packages would not be linked to the original purpose.  You must also consider whether the compatible purpose would be reasonably expected by the patient, which in this case they would not expect vacation package advertising as part of their healthcare sign up.  The nature of the personal data also plays a role.  Additional purposes for using a person’s social security number are going to be scrutinized more heavily than just the use of their first and last name.  Consequences to the individual must also be considered.  Receiving marketing for vacation packages is going to be less impactful than additional processing that results in exposure to a data breach or rejection of a loan.


    The GDPR’s purpose limitation principle constrains the use of personal data to the original purposes or those purposes compatible with the original purpose.  There are a handful of pre-approved compatible purposes such as archiving purposes in the public interest, scientific and historical purposes, and statistical purposes. Under the GDPR, the burden falls on controllers and processors to document their purposes and reasoning behind them.  These must be documented externally to be transparent to the end user, and internally with regular audits. Care must be taken when deciding a purpose is compatible with the original.  An analysis must be conducted to determine compatibility and it’s a good idea to document the reasoning behind claiming a purpose is compatible with the original. Make sure to consider linkages to the original purpose, and consequences to the end user.

    Share This Article
    Posted in:

    Hunter Nelson

    Hunter is the founder and president of Tortoise and Hare Software, a digital marketing agency for B2B technology companies. Hunter has more than 10 years’ experience building web applications and crafting digital strategies for companies ranging from scrappy startups to Fortune 50 household names. When not on the clock, you'll find him spending time with his family and pups, relaxing on the beach, or playing competitive online video games. See LinkedIn for more.

    Leave a Comment

    Table of Contents
      Add a header to begin generating the table of contents

      Free Email Course:
      Launching Your B2B Digital Marketing Program

      Enroll in our free digital lead generation crash course. A 60 day email series with twice a week emails walking through the journey of how to launch your digital marketing program and generate more B2B leads from your website. Unsubscribe at any time.

      Recent Posts
      cmmc marketing for msp and cybersecurity

      CMMC Presents New Marketing And Sales Opportunity for MSPs

      Have you heard about the Cybersecurity Maturity Model Certification (CMMC)? It’s a universal standard meant to enhance and normalize cybersecurity throughout the Defense Industrial Base (DIB). Released on January 31, 2020, CMMC will affect about 300,000 companies that do business with the U.S. Department of Defense (DoD). These include contractors who engage directly with the…

      privacy policy for small business

      Why do I need a Privacy Policy?

      Data privacy is a topic that is of growing concern to many consumers around the U.S. and you may have heard the term privacy policy a time or two in recent history but haven’t paid it much mind. If your just getting into digital marketing or are updating an existing marketing site you may be…

      cryptographic hash functions

      One Way Hash Functions and Data Privacy Compliance.

      This article will discuss how a one way hash function can be used in the context of privacy compliance for regulations like the GDPR. Storing customer’s personal data is an inevitability for scaling businesses in today’s technical world. One way hash functions are a useful tool to store sensitive customer data such as passwords and…

      Top Content
      sample brand kit

      Branding Your MSP: How To Get Started

      Throughout the process of launching and running Tortoise and Hare Software these past 3-4 years there’s one thing that I’ve gotten consistently good feedback on. The brand! People who aren’t shopping for marketing, and have no relationship to the company will regularly come up to me at trade shows, or comment on my business card,…

      msp paid search campaigns

      The Ultimate Guide To Paid Search On Google Ads For Managed Service Providers

      Generating leads for your MSP can be a challenge. You spend so much time managing employees, making sure customer support tickets are answered, procuring hardware, and defending against cyber threats, there’s hardly time to worry about networking and doing things like posting on social media. However, you’d like to grow faster, and due to some…

      msp seo ultimate guide

      The Ultimate Guide To MSP SEO

      Search Engine Optimization (SEO) is one of the most important ways to attract new business for mid-market managed service providers (MSP). If you look at MSPs that have achieved any sort of meaningful scale and grown to the 10MM ARR mark and beyond, you will almost always see a significant portion of their growth came…

      About Us

      Tortoise and Hare Software is a boutique B2B tech marketing agency. We help companies like MSPs, SaaS providers, cybersecurity firms, and other technology service providers launch their digital marketing programs and generate inbound leads.