GDPR and Data Minimization

Data minimization is one of the chief principles of the European Union’s General Data Protection Regulation (GDPR) which states that data processing should only use as much data as is required to complete as assigned task.

It goes on to say that data collected for one purpose may not be repurposed and used for a different purpose.

The legal requirements of Data Minimization are stated in Article 5 (e) of the GDPR. It states “personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. There are some circumstances where personal data may be stored for longer periods (e.g. archiving purposes in the public interest, scientific or historical research purposes).”

Recital 39 of the GDPR states that: “the period for which the personal data is stored should be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records (referred to as erasure in the GDPR) or for a periodic review.”

In other words organizations must make sure personal data is properly disposed of when it is no longer required for the purpose that it was gathered for. By doing so the risk of it will becoming inaccurate, out of date or irrelevant is reduced.

What to Review to Achieve Data Minimization

In order to achieve this you should review that the data that you are gathering to ensure that it is:

  • Adequate: The data that you are gathering is what you require in order to fulfil your stated purpose.
  • Relevant: The data that you are gathering has an obvious link to your target and this can be displayed upon review.
  • Limited: Only the necessary data will be gathered. No additional data that is no required will be gathered and held. – you do not hold more than you need for that purpose.

For criminal offence or special category data it is vital to ensure you collect and keep only the minimum amount of data possible.

This could be considered on an individual case basis, giving particular consideration to any specific factors. This could be part of an objection, request for rectification of incomplete data, or request for erasure of unnecessary data.

Data Minimization Checklist

In order to ensure that you are achieving data minimization you should follow a simple checklist like the one that we have provided here:

  • All personal gathered is required for the specified purposes of this task.
  • The personal data gathered is enough to complete the stated task.
  • The data has been reviewed on an ongoing bases to ensure that anything unneeded has been deleted.

Data Minimization Conclusion

Having complete your review and conclusion and are still unsure if you are achieving data minimization you should seek the help of a external firm of GDPR experts. If you breach GDPR the consequences could be significant, the highest possible fine is 4% of annual global revenue or €20m – whichever figure is higher.