Data minimisation is one of the principles in Article 5 of the General Data Protection Regulation. It states that personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
In the age of Big Data, this principle represents a paradigm for data protection in the world. Due to the GDPR, companies are not allowed to collect as much personal data as possible to decide later what to do with it. However, in some cases, it is perfectly possible to collect and store data for a future event if you can justify it. Remember that the definition of the purpose for processing personal data must always precede the actual processing.
The personal data collected must be sufficient for the processing activity. For example, if a company is hiring new employees, work experience and academic credentials are information that is adequate for the purpose of the job. However, if that company were also to collect the name and date of birth of the applicant’s parents, that information may or may not be adequate for the purpose of hiring the applicant.
There is a logical link between the personal data collected and the processing activity. If a SaaS company decides to authenticate software users by emailing them an activation link, then this would be relevant personal data for the purpose in question. However, in the same example, financial data would be excessive and irrelevant.
Limitation to what is necessary
Essentially, this means never processing more personal data than is necessary for the stated purpose. Let us say your company’s website has a contact form. In this case, the purpose is to contact potential customers, for which you need a name, phone number, email address, and perhaps some business information. Other information such as age, address and bank details would extrapolate the information necessary to fulfil the purpose of contacting potential customers and would therefore potentially breach the GDPR.
In order to comply with the GDPR, businesses need to constantly assess their activities, assets and records. Contrary to what many people say, personal data is not the new oil, because the more you have does not mean the better. On the contrary, you must always have exactly what is necessary, relevant and sufficient for your business. Any personal data beyond that should be securely deleted or anonymized.
To learn more about GDPR principles don’t forget to read our previous article.
Need some help on the road to compliance? Contact us today!