Data Minimisation: Less is More; If You Don’t Need it, Lose it.

Introduction

The famous and problematic phrase “data is gold” has become a broken record in this time and age. Businesses collecting data are collecting everything they can lay their hands on, both personal and non-personal data. Some hoard personal data to anticipate clients/potential client’s needs and offer them bespoke services or products. Others are oblivious to data protection principles. 

Businesses and organisations must protect people’s personal data by processing what is necessary. This is the principle of data minimisation.

What the Principle of Data Minimisation Entails

The principle of data minimisation under the GDPR and most data protection laws holds that personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” The preamble to the GDPR adds that “personal data should be processed if the purpose of the processing could not reasonably be fulfilled by other means.” Data minimisation requires controllers to limit personal data collection to only what is necessary to fulfil a specific purpose. In other words, minimising data means collecting data only for an immediate and necessary purpose, not hoarding the data on the “off-chance that it might be useful in the future.” More specifically, organisations should limit; the scope of the information they collect, the amount of data they collect within that narrow scope and the retention of that data.

A clear example of the data minimisation principle in action is “a data controller shall not continuously process the precise and detailed location of the vehicle for a purpose involving technical maintenance or model optimisation.” An example of its violation is when a pizza delivery service requires the filling of a form that contains a column for sex, religion, and marital status, this collection of data about people violates the data minimisation principle; as such, the processing is not necessary for delivering a box of pizza. The data minimisation principle thus prohibits collecting as much personal data as possible because the data could be helpful in the future.

A clear implication of violating this principle is incurring fines from the regulator. For example, on October 5, 2020 the Data Protection Authority of Hamburg, Germany, fined clothing retailer H&M €35,258,707.95 — the second-largest GDPR fine ever imposed at the time.H&M’s GDPR violations involved the “monitoring of several hundred employees.” After employees took a vacation or sick leave, they were required to attend a return-to-work meeting. H&M recorded some of these meetings and it was accessible to over 50 H&M managers. As a result, H&M appeared to have violated the GDPR’s principle of data minimisation, particularly sensitive data about people’s health and beliefs unless you need to for a specific purpose. A summary of recent rulings on data minimisation, put together by Meru data, can be found here.

The Benefits of Data Minimisation for Individuals and Organisations

Organisations may limit their data collection to simply comply with the requirements of GDPR, as they may feel that data minimisation is only something that must be done to avoid a fine from the data protection regulation. However, applying data minimisation will create many more positive outcomes.

Complying with this principle has numerous benefits for individuals/data subjects and organisations; they include;

• If the data minimisation principle is adhered to and a data breach occurs in an organisation, the unauthorised individual will only have access to a limited amount of data. 
• Storing of more accurate and up-to-date personal data, as outdated and unnecessary ones, would have been removed.
• It creates a faster response to data subject access requests because there is fewer data to consider.
• It increases customers’ knowledge of the value of their personal data, and they will trust a company more if they know that their data will not be misused.
• It reduces cost. Since all data storages cost money, having less will save your business added expenditure. Also, your business avoids the cost of fines issued by regulators for violation of this principle.

What Organisations need to do to implement data minimisation

Organisations can ensure data minimisation by reducing the personal data they collect. They must define which data is necessary to conduct their business activities and collect. They must also limit access to the information they process to employees on a ‘need to know’ basis. Also, when personal data collected becomes out-of-date, the databases must be regularly updated to only keep relevant information. Finally, there is a need to delete data systematically, as this is a core aspect of data minimisation. When user data becomes old, it will be useless for your organisation’s need and will only take up unnecessary space. You need to be sure that all the organisation data is valuable and necessary.

What data subject can do to ensure data minimisation

As a data subject, the first thing to do is ask questions. Enquire into the reason a business is requesting specific information. Usually, this information should be in their privacy notice, so read privacy notices. If anything still needs to be clarified, ask. 

For organisations that already process your personal data, exercise your right to access it. For example, send them a data subject access request (DSAR) to find out if they are processing more information about you than they should. 

If you need help with this process, you can reach us @ compliant@pdpainitiative.com because your privacy matters to us.