Data Minimisation

Context:

The GDPR sets forth the need to implement technical measures to protect the personal information of individuals. In many cases the regulation does not specify which technical measures.  However, in the case of data minimisation, this is identified as a principle; a principle that requires support by such measures.

Considerations:

Data minimisation needs to be factored into each stage of your data processing activities: collection, processing and storage.

Minimisation also needs to be factored into other aspects of your overall technical security to ensure that no data is exposed more widely than is necessary for the defined purposes of processing.

How to:

Implement technology, policies and processes to ensure:

  • Collect only the required data. If data is not required for processing, do not collect it.
  • Only carry out processing that is necessary and on a necessary schedule.
  • Data is only stored for the required amount of time and there is a process to securely dispose of all copies at the right time.
  • Data is not shared with third parties, suppliers, cloud providers unless necessary and agreed by the data subject.
  • Access to data is only by those individuals who have a need to do so.

You will need to work closely with your IT provider to ensure that the technology and systems are in place to ensure these measures (See Organisational Measures and Technical Measures) are properly implemented.

Common Scenarios:

A contact form is used to collect information

  • Decide which information needs to be collected before constructing your online form. If for example, you do not intent to call the individual by telephone do not collect their phone number. Likewise if you will only phone them, do not collect their email.

Background Information is added to a CRM system

  • CRM systems by default come with a large variety of fields in which to enter information about prospective customers: birthdays, family, hoe address etc etc. Resist the temptation to colect all of this information by default. Instead only enter that which you need to perform business activities. As an alternative seek additional consent from the individual to collect more information, however in this scenario you would need to tell them why you wish to collect the additional information.

References:

  • GDPR Recitals: 39, 78, 156
  • GDPR Articles: 25

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts