Back when the GDPR was still within the adaptation phase, data-driven organisations and public bodies that process personal data on a large scale found the new obligation of data minimisation to be a rather vague obstacle. The GDPR states that “personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed”, but this concept still often poses challenges for some firms. At the same time, data driven organisations continue to process and gather personal data on a large scale, where data minimisation could prove that ‘bigger’ might not necessarily always mean ‘better’: after over a year since the EU privacy regulation’s enforcement, we have now learned that data minimisation actually holds several benefits for organisations that decide to embed it into their practices. Before we start looking into what data minimisation can look like in practice, let’s take a look into what this concept entails exactly according to the GDPR.
Data minimisation obligations as per the GDPR
Art 5 (1) GDPR states that personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
What does this mean?
The GDPR does not define what “adequate, relevant and limited to what is necessary” means. It will depend on the specified purpose for collecting and using the personal data. Additionally, it may also differ from one data subject to another, and on the type of personal data processed. All of these aspects need to be determined, so that then the minimum amount of personal needed to fulfill the purpose can be identified.
Unnecessary and irrelevant
If your organisation is holding more data than is actually necessary for your purpose, this is likely to be unlawful (as most of the lawful bases from art. 6 and 9 GDPR also have a necessity element), as well as a breach of the data minimisation principle. Data subjects might also have the right to get you to delete any unnecessary data.
If the processing your organisation carries out is not helping it to achieve your purpose, then the personal data you have is probably inadequate. You should not process personal data if it is insufficient for its intended purpose. Bear in mind that individuals might also have the right to rectify any information concerning them that is inadequate.
In some circumstances this may actually require you to collect more personal data than you had originally anticipated using, so that you have enough information for the purpose in question. Obviously it makes no business sense to have inadequate personal data – but you must be careful not to go too far the other way and collect more than you need.
Special category and criminal offence data
For special category data or criminal offence data, it is particularly important to make sure you collect and retain the minimum amount of information, since these are typically socially sensitive data like the criminal records, racial or ethnic origin, political opinions, sexual preferences and religious beliefs or data that can be irreversibly exposed by a data leak like genetic and biometric data.
Additionally, the accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles. This means that you need to be able to demonstrate that you have appropriate processes, measures and records to demonstrate that you only collect and hold the personal data you need.
Besides taking the right steps to ensure GDPR compliance, putting data minimisation into practice can also bring in several further benefits. Let’s go through four benefits that organisations can enjoy through data minimisation.
Cost reduction on data storage
Projections for the volumes of personal data stored by organisations could mean further costs if not handled strategically. A report in 2016 that involved 2,500 IT professionals of organisations in 22 different countries, found that 85% of stored data was considered either redundant or simply deemed inapplicable for use. Additionally, it’s predicted that business data could ‘unnecessarily’ cost organisations around the world a cumulative amount of $3.3trillion by the end of 2020. Furthermore, as personal data grows to be inaccurate and out of date after a period of time, keeping large amounts of redundant data would ultimately mean spending unnecessary costs for storage, as well as costs of security.
Less impact of data breaches/data leaks
As the numbers of data breaches reported continue to rise over time, it has become important that organisations should always take into account the importance of data security. By keeping a strategic approach in securely and regularly erasing data that is not used after some time, organisations could be less prone to experiencing potential upcoming problems regarding personal data, as there would be a significantly less, better structured database to work with.
With data minimisation in place, the amount of data gathered is not just minimised, but the quality of the data is higher in adequacy as well. Only processing and gathering personal data that has been proven to be necessary for a certain task could improve an organisation’s efficiency in carrying out their activities.
Increase consumer trust
By today, the trust between brands and consumers have been strongly affected by the amount of personal data that is often times requested just to validate a purchase. As the general public become further aware and cautious about the importance of personal data and how it is handled, businesses should make sure that they treat data privacy as a priority, and embed it into their practices. The concept of data minimisation could provide an opportunity as a base for organisations to not only develop a habit in requesting only necessary information from potential customers, but to also gain much needed consumer trust and loyalty.
Now that we have gone through some benefits of data minimisation, let’s go through the practical steps that an organisation might consider.
See privacy as more than just a business risk (privacy by default)
It is imperative that organisations truly listen to privacy experts and not just consider privacy as a business risk, but an opportunity. Privacy by default highlights the data minimisation principle, as it points out that organisations should be only gathering personal data that is required. Taking into account that personal data that is gathered may not always be applicable, ensuring that the default setting of a certain process limits just how much personal data a data subject is willing to share will generally help in finding only valuable bits of information. Furthermore, successfully adopting privacy by default obligation, organisations also clearly communicate to data subjects about how long their personal data will be stored and what it will be used for - which also contributes to an increase in trust.
Implement a strategic erasure plan
The data minimisation principle is a habit that organisations should review time and time again. By taking time to look through your processings to check that the personal data you are holding is still applicable or relevant for your purposes, and erasing any of it that is deemed redundant, will not only mean higher chance of being GDPR compliant, but will also contribute to an up to date database.
Strategic data erasure is a core component in the data minimisation practice, as businesses must make sure to safely erase data that is deemed to be stale or redundant. Further adapting privacy by design & default in data gathering and storing processes will give organisations the ability to identify what type of data is required for keeping or not. This would also give the opportunity to create a certain criteria to follow when gathering data, in order to optimise the most relevant and necessary information.
Data minimisation presents an opportunity
Regardless of what area your business is in, there is always a strong importance in gathering consent for collecting, storing, and processing personal data. Organisations must always make sure that their data handling practices are aligned to the GDPR, and should consider that gathering more and more personal data, might not always give them the advantage they are looking for. Ultimately, by generally filtering what type of data is gathered, and keeping it to the bare minimum, your organisation might very well be protecting itself from potential external or internal risks.