By
Alex Franch
March 20, 2023
Data minimisation means maintaining only data that is strictly necessary to fulfil a specific purpose. Data minimisation is a direct way to limit privacy leakage. Intuitively, the less data there is to collect, store, and share by businesses, the easier it is for them to protect the personal information of users.
Since the first decade of the 21st century, businesses and governments were under the impression that data is the new oil and the companies and organisations with access to the most data and the best ways of making sense of it would inevitably rise to the top and succeed. On the contrary, data has become a liability rather than an asset and its management is slowly becoming a privacy and information security nightmare. That’s where data minimisation comes in: it removes the data liabilities your firm has, letting you focus your energies on maximising the value of your data assets.
The principle of data minimisation means that data controllers must only collect and process personal data that is relevant, necessary and adequate to accomplish the purposes for which it is processed. It encourages the companies to adopt the organisational practice of minimising the overall amount of personal data collected. In practice, it obliges the companies to collect personal data that is adequate, relevant and what is limited to their specific purpose.
Example A recruitment agency places workers in a variety of jobs. It sends applicants a general questionnaire, which includes specific questions about health conditions that are only relevant to particular manual occupations. It would be irrelevant and excessive to obtain such information from an individual who applied for an office job.
Let's understand the essential elements of the minimisation principle:-
Although not explicitly defined within GDPR, organizations can use the following general definitions when determining the adequacy, relevance and limitation for personal data collection.
Adequate: only data that is sufficient to adequately fulfil specified purposes stated within the ‘purpose limitation principle.
Relevant: only data that is reasonably related to the purposes stated within the ‘purpose limitation principle.
Limited: only data that is necessary to perform stated purposes, ensuring the organisation does not collect data that is not relevant to those purposes.
The benefits of the principle of data minimisation not only helps an organisation in data management but also from a data protection perspective.
The application or adoption of the principle of data minimisation requires the creation of a comprehensive plan that includes the following principles:-
Collecting data is easy but becoming the rightful custodian of that data is challenging. It is important to put in place and adopt an effective mechanism to use the data for the rightful purpose and discard it properly to showcase your commitment and respect for the core principle of GDPR.
Disclaimer
This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.
Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.