GDPR Data Minimization Principles Explained
In business life, people often said that it is better to collect and store more information than necessary from a customer because the additional information could be useful at some point. However, they often overlook that the vast majority of this additional information is never used and that among the usually quite extensive data collections, the actual useful ones are more difficult to find. In addition, extensive data collection requires corresponding resources, e.g. working time and money. Regardless of this, it regularly violates the so-called data minimisation principle of the General Data Protection Regulation (GDPR).
What is data minimisation and how can you implement the requirements of the GDPR?
GDPR Data Minimization Principles Explained
Article 5 of the GDPR lists the essential basic principles of data protection that must be observed when processing personal data. It includes data minimisation, often also referred to as “data avoidance”.
Under the data minimisation requirements, the GDPR provides that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed“. This means that you have to observe the following requirements.
The collection of the data must be suitable to fulfil the specified purposes of the processing. For example, when somebody subscribes to a newsletter, the collection of the data subject’s address is not suitable to fulfil the purpose (sending the digital newsletter by e-mail), which is why you are not allowed to collect it in the newsletter subscription form. This is different when people register to receive a monthly product catalogue sent by post.
But the fact that the collection of a certain type of data is adequate to achieve the purpose of the processing is not sufficient on its own. The data minimisation principle also requires that this collection is also necessary because you cannot achieve the purpose of the processing otherwise. Example: the purpose of collecting biometric data as part of a fingerprint check at the entrance of a building is to prevent unauthorised persons from entering. However, it would also be possible to use the fingerprint check to record the working hours of employees in Germany. However, this purpose can be fulfilled (without the use of special categories of data), for example, via a time clock or separate software – both of which should be milder means than the processing of special categories of data (biometric data).
The fact that the collection of certain data is suitable and necessary to achieve the purpose is not always sufficient. The context of the processing of the data also plays a role. An example: a geolocation system may be installed on a truck for the purpose of effective route planning, but it may only be active during the driver’s working hours. Another example is video surveillance. It may be used for the purpose of building security and theft prevention. However, cameras may only be used in certain areas: e.g. at the entrance of the building, but not in the locker room.
Is data minimization good or bad for you?
Data minimisation initially appears to many to be good only for the persons whose data are processed (“data subjects”: customer, visitor of the website, etc.) and is usually seen by the entrepreneur as a limitation of his options for action within the scope of his activities. In this context, data minimisation or data economy is also in the interest of businesses. Apart from avoiding possible sanctions, including fines for a data protection violation, not storing data makes it easier to find useful data. By freeing up space for data storage, you can also save resources.
The creation and audit of the register of processing activities is a good occasion to clean up the procedures you use and the data you store. You eliminate redundant procedures. Data that you cannot justify processing will be deleted. Away from data that you have retained, it also affects data that you can no longer identify. For example, if you have contact details of people but you no longer know who they are and in what context you collected the data, it is a sign that these data should no longer be stored.
It is important to understand here that data minimisation does not mean a ban on the collection of certain data, but only that you must have a justification for their collection and their processing.
Furthermore, data minimisation is increasingly important for customer trust. If customers notice that you use “tricks” to learn more about them than what is necessary, it can make them stop working with the company.
What rights does a data subject have if the data minimisation principle is disregarded?
The data subjects have all the rights set out in chapter III and article 77 of the GDPR. In particular, they have the right to have the data deleted if it is not necessary for achieving the purpose of the processing.
What is the maximum length of time you can hold data for?
At some point, you must delete you held data, namely when there is no longer a need or obligation to retain them. The specific retention periods are highly dependent on the context of the data processing. The creation and implementation of a deletion concept is therefore highly recommended. In a simplified manner, the existing data is categorised and provided with deadlines in terms of necessity; in particular, the legal and industry-standard retention periods must be observed. Within the framework of the concept, you harmonise the retention periods for different data categories that are kept together and you set a common period for them. However, a period alone is not sufficient, as it must also be determined when this period begins. For example, it could be specified that the period for deleting a customer file starts when there has been no contact with the customer for three years.
How do you ensure data minimization?
What question do you have to ask yourself?
For any data processing, you must ask yourself which data is necessary to achieve the purpose. All other data (“data kept on hand”) cannot be processed within this framework, or a separate legal basis must be used for this (e.g. consent).
Transparency is also very important. Do not hide references to data processing in long contract texts or make the conclusion of the contract dependent on the provision of consent for another processing. For example, you should only mark as mandatory fields in a form those fields that are necessary to achieve the purpose of the main processing.
Another example: As a rule, you do not need information about whether a customer has children or when he was on holiday for the purpose of performing a contract. This information can therefore not be processed on the basis of Article 6(2)(b) of the GDPR (“performance of the contract”). Of course, as a seller you have a legitimate interest in creating a basis of trust with the customer and exchange some private information for this purpose. This information can be processed on the basis of the customer’s consent for the purpose of good customer relations. However, you should be the only one who has access to this information, the elements must not be entered into a CRM, for example. If another salesperson takes over the customer, you must not share this information.
Privacy by design as implementation of the data minimisation principle
The data minimisation principle overlaps with the principle of privacy by design, which is listed in Article 25 (2) of the GDPR.
This principle states that appropriate technical and organisational measures must ensure that, by default, you process only personal data whose processing is necessary for the specific processing purpose in question. The principle concerns, among other things, the means that you must actually in order to comply with the data minimisation principle. For example, optional fields and mandatory fields in a form must be easy for the customer to differentiate.
Here is another recommendation of an implementation of privacy by design in order to comply with the data minimisation principle. Except in the case of contact forms, only certain data are necessary in forms and you should therefore avoid free input fields there and favour drop-down selection options or check boxes. If people do not know what to enter, there is a risk that they give information that is not necessary for the processing.
As a second example, we would like to mention the issue of comment fields in files maintained by your employees. Supervisory authorities have e.g. fined call centre staff for entering very precise information about customers (about their health,…) that was not relevant for the purpose of the processing and that even included sometimes insulting remarks in comment fields of the CRM system. Apart from the necessary data protection training of your employees, we recommend you to set up a warning banner for the use of such comment fields, or to restrict the entries by drop-down menus.
Conclusion: How do you successfully implement a data minimization initiative?
You need to assess all personal data you have in your database by asking yourself for each processing operation whether the data being collected is in line with this principle. Then you need to check whether the data collected that are not necessary may be processed in another framework. Finally, you must delete the data for which you cannot find any framework and you shall not collect this data in the future.
The collection of information for the record of processing activities should actually give you many elements that allow you to get a picture of the state of your organisation in terms of the data minimisation principle.
How can 2B Advice help you implement the data minimisation principle?
We can help you determine when data are necessary for processing and advise on alternative frameworks for processing the additional data where possible. We usually carry out this work in the context of creating a record of processing activities or updating it, either in the context of external data protection officer mandates or in the context of a specific mandate for this purpose. In addition, we provide advice on how best to implement data protection-friendly default settings.
Data Privacy: EU Commission Adopts New Adequacy Decision for Secure EU-US Data FlowsThe Action Plan of the French CNIL for Regulating AI Systems
The CNIL has released an action plan for privacy-respecting deployment of AI systems in light of recent developments in the field.New Use Cases Covered By 2B Advice PrIME
2B Advice PrIME is pleased to announce several updates to its Privacy Management solution.