GDPR Principles: Purpose Limitation

GDPR Purpose Limitation of PII
Home » Blog » GDPR Principles: Purpose Limitation

This post represents part 2 of a series of posts covering principles of the General Data Protection Regulation (GDPR). The regulation sets out 7 keys principles that set the foundation for the directives to be enforced by the legislation. Today we will be covering purpose limitation.  Below are links to the full series of posts:

Purpose Limitation

The purpose limitation principle aides controllers and processors in describing why personal data is being collected. Here is a quote from the law regarding purpose limitation:

1. Personal data shall be:

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.1

The concept of purpose limitation is not new; it has been around since 1998 when the previous data protection law went into effect. Controllers and processors used to define purpose limitation by registering their purposes with the ICO.  Under GDPR, controllers and processors will be responsible for documenting their purposes rather than registering for approval with a government body.  The GDPR provides specific exemptions from this principle for scientific, historical, and statistical purposes.  GDPR ensures that new purposes for processing personal data are compatible with their initial purpose. This verbiage in the law protects users from “function creep.” If the new purpose is not compatible with the original purpose, controllers and processors must ensure the new purposes is compatible with the first principle of GDPR; lawfulness, fairness, and transparency.

Compliance Documentation

As stated above, controllers and processors are now responsible for documenting their purposes as part of their GDPR compliance requirements.  Documentation can be thought of as internal to the organization and external to the organization.  External documentation means that purposes for collecting and processing personal data must be transparent to the end user.  What this will mean for most organizations is that the privacy policy should include purposes for collecting and processing of end user data.  Internal documentation requirements are more flexible in the way that they are created and maintained.  Be able to demonstrate you have:

  • Identified personal data collected, how it will be processed, and the purpose for doing so.
  • Have conducted purpose audits at reasonable intervals and updated documentation where necessary.
  • Documented reliance on new purposes that were compatible with the original purpose.
  • Documented reliance on the exemptions for scientific, historical, and statistical data.

Function Creep

Function creep is the concept of a system adding new features (functions) over time, which results in data being leveraged for purposes other than the purposes the user granted consent for originally.  Controllers and processors must use care when developing systems not to breach privacy law as new features are released.  A process checkpoint should be included in the release to review new features with a privacy lens.  Previously collected personal data that is used for a new purpose that is not compatible with the original purpose must include an update to the privacy policy and internal compliance documentation.

Determining Compatible Purposes

Determining compatible purpose can be a tricky subject, but documenting the use of a purpose as a compatible purpose and the reasoning behind it will surely be looked upon more favorably than undocumented use. Purposes that are pre-approved compatible purposes under GDPR include:

  • Archiving activities in the public interest
  • Scientific and historical purposes
  • Statistical purposes

Other purposes can be considered compatible, but you must analyze the use of the data before proceeding. Consider the links to the original purpose, for instance selling patient records collected as part of healthcare to a marketing company selling vacation packages would not be linked to the original purpose.  You must also consider whether the compatible purpose would be reasonably expected by the patient, which in this case they would not expect vacation package advertising as part of their healthcare sign up.  The nature of the personal data also plays a role.  Additional purposes for using a person’s social security number are going to be scrutinized more heavily than just the use of their first and last name.  Consequences to the individual must also be considered.  Receiving marketing for vacation packages is going to be less impactful than additional processing that results in exposure to a data breach or rejection of a loan.

Conclusion

The GDPR’s purpose limitation principle constrains the use of personal data to the original purposes or those purposes compatible with the original purpose.  There are a handful of pre-approved compatible purposes such as archiving purposes in the public interest, scientific and historical purposes, and statistical purposes. Under the GDPR, the burden falls on controllers and processors to document their purposes and reasoning behind them.  These must be documented externally to be transparent to the end user, and internally with regular audits. Care must be taken when deciding a purpose is compatible with the original.  An analysis must be conducted to determine compatibility and it’s a good idea to document the reasoning behind claiming a purpose is compatible with the original. Make sure to consider linkages to the original purpose, and consequences to the end user.

Posted in:
Tagged:

Hunter Nelson

Hunter has more than 10 years’ experience in the software industry building and configuring software for companies such as American Express, Black Knight, Homes & Land, Verizon and more. Hunter earned his bachelor’s degree in Information Technology from Florida State University in 2009 and began his career consulting for Accenture out of the New York City office. After accruing significant experience working with Fortune 500 Clients on complex software projects as an analyst, he discovered his love for coding and building software. While practicing the craft he earned an MBA from Florida State in 2017. In 2018 he founded Tortoise and Hare Software to begin providing business value in digital consulting engagements to small and medium sized businesses and helping them along in their journey toward the Fortune 500. See LinkedIn for more.

Leave a Comment





Up Next

One Way Hash Functions and Data Privacy Compliance.

By Hunter Nelson | April 11, 2019

This article will discuss how a one way hash function can be used in the context of privacy compliance for regulations like the GDPR. Storing customer’s personal data is an inevitability for scaling businesses in today’s technical world. One way hash functions are a useful tool to store sensitive customer data such as passwords and…

GDPR Principles: Accuracy

By Hunter Nelson | November 21, 2018

The accuracy principle states that controllers and processor should make reasonable efforts to ensure personal data is accurate.  They must allow citizens to challenge the accuracy of data and take steps to rectify or erase the data associated with the challenge.  Verification is sometimes needed to ensure data is accurate.  Controllers and processors should consider the impact to the individual and whether they collected the data or the user provided it when determining appropriate verification steps.  Organizations should document challenges and their responses thoroughly and in a timely manner. They should also document the thought process for determining whether personal data needs to be verified and the verification steps taken if necessary.

GDPR Principles: Data Minimization

By Hunter Nelson | November 8, 2018

Data minimization is the concept of collecting the minimum amount of data needed to carry out the stated purpose and no more.  When conducting a data minimization evaluation you must ensure that the data collected is adequate and relevant to your stated purpose as well as limited. The onus is on the organization to document compliance with this principle.  We recommend documenting a review of this principle each time new personal data is collected or processed.  Conduct at least an annual audit of personal data that has been collected or processed to ensure that changes in the business have not impacted compliance with the data minimization principle.

GDPR Principles: Lawfulness, Fairness and Transparency

By Hunter Nelson | October 23, 2018

The first principle of the GDPR, Lawfulness Fairness and Transparency focuses mostly on the underlying reasons for collecting and processing personal information and how it will be used.  It outlines the need for a lawful basis for processing and discusses the 6 bases for processing that have been identified. The bases of consent is the most recommend basis and organizations would do well to ensure they establish proper consent collection mechanisms.  It ensures that data is collected fairly and that the collection does not present unjust injury to an individual or group of individuals, regardless of how many other individuals are unaffected.  It ensures that organizations are being transparent in the way they inform their users on the type of information that is collected and the way it will be processed and used.  The responsibility lies within the collecting organization to document compliance with principles of the GDPR.  Establishing a process for documenting a lawful basis for processing, fairness, and transparency in collection will leave organization prepared for regulatory scrutiny, help avoid lawsuits and fines.  

SteadyHOPS and the GDPR

By Hunter Nelson | October 14, 2018

The General Data Protection Regulation (GDPR) and Data Protection Act of 2018 (DPA) are complex, in depth, complementary legal documents which act as a code of conduct for businesses involved in the processing of personal data.  Henceforth these regulations will be referred to as the GDPR. There are many aspects of compliance with these regulations and the best place to keep up to date and understand aspects of compliance is the Information Commissioner’s Office’s (ICO) Guide to General Data Protection Regulation.  This article highlights the aspects of compliance that SteadyHOPS provides.