What is the third of the seven data processing principles outlined in GDPR?
The third principle of data processing is data minimization.
Based on this principle, data collection must be adequate, relevant and limited to what is strictly necessary.
GDPR text on data minimisation
Article 5 of GDPR provides that personal data shall be:
“adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
What is data minimisation?
Data minimisation, as the third principle of GDPR, requires that organizations capture personal data that is relevant and limited to the purpose.
Data is today’s black gold.
Companies look to capture as much data as they possibly can to create a profile of their clients, determine their areas of interest, segment them, understand their behaviour and so on.
With the GDPR principle of data minimisation, it is unlawful for companies to collect data beyond what is relevant and strictly required to render their services.
How to determine what is adequate, relevant and limited?
There is no set definition of what is adequate, relevant and limited in GDPR.
Organizations must assess the adequacy, relevancy and limited nature of the data collected in their specific circumstances.
It all starts by understanding what you need to do with the data.
When you know your purpose, then you’ll know what data you need to reasonably achieve your purpose.
With that, you can assess what is the extent of data collection and processing activities reasonable in the circumstances and in alignment with the data mimimisaton principle.
It’s a good practice to review your data processing activities from time to time to ensure that the organization collects, stores and processes personal data in compliance with the GDPR principles.
How can you implement the data minimisation principle?
To comply with your data minimisation obligations, companies should implement policies, procedures and practices aimed at limiting the quantity of data collected.
You should answer some of the following questions:
- For what purpose do I need to collect personal data?
- What is the nature and type of data that I truly need to render my services?
- Is the data subject aware of why I need to collect personal data?
- Was the data subject informed of the nature and type of data being collected?
- Do individuals have a reasonable expectation that I collect and use the data the way I do?
By understanding the purpose of why you are collecting personal data and limiting the collection, storage and processing to strictly what is needed, you can comply with the principle of data minimisation.
In what case can a company process too much personal data?
Companies should be mindful of how much data they collect and process about a data subject.
Often, companies have a tendency to collect everything and anything.
That can be dangerous as collecting and processing too much data will clearly violate the third principle of GDPR related to data minimisation.
When you need to collect data about an individual, keep the data relevant to that individual.
Do not collect other irrelevant data.
Collect data for a foreseeable purpose.
Do not collect data under the assumption that one day you may need it.
If you do collect data for one day that you may need it and that day never comes, you’ll be in a direct breach of GDPR.
When can data processing be inadequate?
To determine if the data processing is adequate, you must be able to justify that the processing helps you achieve your purpose.
If the processing does not help you achieve the purpose for which personal data was collected, then the data processing will be considered inadequate.
Also, under GDPR, processing inaccurate or incomplete information about a person or deciding on an individual based on inaccurate and incomplete information can lead to an inadequacy finding.
It’s the best practice that you only collect the data that you need to achieve your purpose and nothing more.
For more content on the GDPR principles, read our post titled What Are The 7 Principles of GDPR?