GDPR Principles: Data Minimization
This post represents part 3 of a series of posts covering principles of the General Data Protection Regulation (GDPR). The regulation sets out 7 keys principles that set the foundation for the directives to be enforced by the legislation. Today we will be covering data minimization. Below are links to the full series of posts:
- Part 1 GDPR Principles: Lawfulness, Fairness and Transparency
- Part 2 GDPR Principles: Purpose Limitation
- Part 3 GDPR Principles: Data Minimization
- Part 4 GDPR Principles: Accuracy
- Part 5 GDPR Principles: Storage Limitation (Coming Soon)
- Part 6 GDPR Principles: Integrity and Confidentiality (security) (Coming Soon)
- Part 7 GDPR Principles: Accountability Principle (Coming Soon)
Data minimization (spelled “data minimisation” in the UK) is the concept of collecting and processing only the minimum amount of data required to carry out the stated purpose. The below is an excerpt from the legislation that outlines the principles of the GDPR.
1. Personal data shall be:
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed 1
Let’s break down the element of data minimization contained in the sentence above. There are three elements covered in the legislation that serve as the checklist for compliance. They are:
- Limited to what is necessary in relation to the purpose for which the data is processed
Concerns about adequacy may seem a little out of place in the overall spirit of the data minimization principle but there is a rational basis for its consideration. For instance look at the example of collecting personal information from a data subject for the purposes of evaluating their fit for a job. Your organization collects only the name and email of interested applicants. Is this enough information to carry out the stated purpose? Say, after collecting thousands of email addresses, you send out an email asking for consent to send the applicants information about resume writing services and other employment products. Some grant you consent, but others do not. Still, would you have been able to collect those thousands of initial email addresses under the guise of evaluating employment fit before changing your purpose for the use of the personal data (email addresses)? Likely not, and regulatory bodies could determine that you did not collect adequate personal data for your stated purpose.
Relevance is another important aspect when considering data minimization compliance. Let’s imagine a personal data point that might be a little out of the ordinary and how it might be relevant to one purpose and not another. Let’s say our data point is candy preference. A local hospital is trying to increase patient satisfaction with their care in the pediatric ward and they determine that parents and kids feel more satisfied with their visit if a piece of candy is provided to the patient on check out. This information is collected at the time of patient check in and the candy is provided to the patient on check out. This would be considered relevant personal information to the stated purpose of providing quality patient care. Let’s say in our previous example of candidates submitting online employment applications, the data collected is expanded to name, email address, and candy preference. After collecting candy preferences from thousands of applicants, consent is requested to share candy preference data with a 3rd party candy manufacturer. Was the collection of candy preference for the originally stated purpose relevant to the purpose of determining employ ability? It would not appear so.
Ensuring that data is limited to what is necessary for the stated purpose is the most important aspect of the data minimization principle. This verbiage sets forth that controllers and processors should limit the personal data they are collecting to only what is necessary for the stated purpose. This has strong synergy with the relevance aspect above. Subtle word differences of the stated purpose can affect what is considered appropriately limited. Let’s keep with our theme of collecting digital employment applications. If your stated purpose is to evaluate suitability for employment for the job the applicant has applied for, collecting personal data such as industry preferences, geographic preferences, or company size may not be considered appropriately limited. If you tweak your stated purpose to state that you are collecting data to evaluate suitability for employment and make job recommendations then this additional data would be considered within the scope of limitation. This is because collecting personal data related to broader employment preferences is not necessary to evaluate the suitability of the applicant with a specific position, however it would be for the purposes of matching the the candidate with a job on a more general basis. Make sure you consider subtle nuances like this when evaluating whether the data you are collecting is appropriately limited or “minimized”.
As with many principles of the GDPR, no one will be checking to make sure that you are making these reviews. However, in the event of regulatory scrutiny or lawsuits, you must be able to demonstrate compliance. What does this mean for the data minimization principle? For one, you should keep a checklist and document the review of the principle when deciding to collect or process personal data. You should also conduct periodic audits, at least annually, of personal data to ensure that changes in your organization haven’t influenced your standing in regards to compliance. If you have questions or would like to schedule a privacy practices consultation, contact us for a review.
Data minimization is the concept of collecting the minimum amount of data needed to carry out the stated purpose and no more. When conducting a data minimization evaluation you must ensure that the data collected is adequate and relevant to your stated purpose. The onus is on the organization to document compliance with this principle. We recommend documenting a review of this principle each time new personal data is collected or processed. Conduct at least an annual audit of personal data that has been collected or processed to ensure that changes in the business have not impacted compliance with the data minimization principle.
About The Author
Hunter has more than 10 years’ experience in the software industry building and configuring software for companies such as American Express, Black Knight, Homes & Land, Verizon and more. Hunter earned his bachelor’s degree in Information Technology from Florida State University in 2009 and began his career consulting for Accenture out of the New York City office. After accruing significant experience working with Fortune 500 Clients on complex software projects as an analyst, he discovered his love for coding and building software. While practicing the craft he earned an MBA from Florida State in 2017. In 2018 he founded Tortoise and Hare Software to begin providing business value in digital consulting engagements to small and medium sized businesses and helping them along in their journey toward the Fortune 500. See LinkedIn fore more.
This article will discuss how a one way hash function can be used in the context of privacy compliance for regulations like the GDPR. Storing customer’s personal data is an inevitability for scaling businesses in today’s technical world. One way hash functions are a useful tool to store sensitive customer data such as passwords and…
The accuracy principle states that controllers and processor should make reasonable efforts to ensure personal data is accurate. They must allow citizens to challenge the accuracy of data and take steps to rectify or erase the data associated with the challenge. Verification is sometimes needed to ensure data is accurate. Controllers and processors should consider the impact to the individual and whether they collected the data or the user provided it when determining appropriate verification steps. Organizations should document challenges and their responses thoroughly and in a timely manner. They should also document the thought process for determining whether personal data needs to be verified and the verification steps taken if necessary.
The GDPR’s purpose limitation principle constrains the use of personal data to the original purposes or those purposes compatible with the original purpose. There are a handful of pre-approved compatible purposes such as archiving purposes in the public interest, scientific and historical purposes, and statistical purposes. Under the GDPR, the burden falls on controllers and processors to document their purposes and reasoning behind them. These must be documented externally to be transparent to the end user, and internally with regular audits. Care must be taken when deciding a purpose is compatible with the original. An analysis must be conducted to determine compatibility and it’s a good idea to document the reasoning behind claiming a purpose is compatible with the original. Make sure to consider linkages to the original purpose, and consequences to the end user.
The first principle of the GDPR, Lawfulness Fairness and Transparency focuses mostly on the underlying reasons for collecting and processing personal information and how it will be used. It outlines the need for a lawful basis for processing and discusses the 6 bases for processing that have been identified. The bases of consent is the most recommend basis and organizations would do well to ensure they establish proper consent collection mechanisms. It ensures that data is collected fairly and that the collection does not present unjust injury to an individual or group of individuals, regardless of how many other individuals are unaffected. It ensures that organizations are being transparent in the way they inform their users on the type of information that is collected and the way it will be processed and used. The responsibility lies within the collecting organization to document compliance with principles of the GDPR. Establishing a process for documenting a lawful basis for processing, fairness, and transparency in collection will leave organization prepared for regulatory scrutiny, help avoid lawsuits and fines.
The General Data Protection Regulation (GDPR) and Data Protection Act of 2018 (DPA) are complex, in depth, complementary legal documents which act as a code of conduct for businesses involved in the processing of personal data. Henceforth these regulations will be referred to as the GDPR. There are many aspects of compliance with these regulations and the best place to keep up to date and understand aspects of compliance is the Information Commissioner’s Office’s (ICO) Guide to General Data Protection Regulation. This article highlights the aspects of compliance that SteadyHOPS provides.