General Data Protection Regulation Countdown
Date:
1 February 2018
Data minimisation is a data protection principle which, colloquially, is used to refer to the concept that organisations should reduce the amount of personal data held, reduce the amount of interaction with personal data and reduce the amount of time for which such personal data is held. In fact, under the General Data Protection Regulation, data minimisation is just one of three principles relating to reducing the amount of unnecessary personal data processing - namely "purpose limitation", "data minimisation" and "storage limitation".
The first of these principles (purpose limitation) states that organisations should only process personal data for specified purposes and should not process any such personal data in a manner incompatible with such purposes. Organisations will be required to inform individuals, via a privacy policy or other fair processing notice, of the purpose(s) for which they are processing personal data, so any change to the processing activities of the organisation should be carefully considered to determine whether such new processing activities are compatible with the original purpose(s) notified to the individuals.
The GDPR provides some guidance to determining whether a new processing purpose is compatible with the original purpose(s). Organisations will need to consider any link between the original and proposed purposes, the context of the processing activities (in particular the relationship between the organisation and the individual), the nature of the personal data, the possible consequences to the individual and the existence of any security measures to protect the personal data.
The second of these principles (data minimisation) states that personal data should be relevant and limited to the purposes for which it is processed. Just because certain information is interesting or could be useful in the future does not mean that an organisation should obtain or store or otherwise process any irrelevant data.
The third of these principles (storage limitation) states that personal data should not be stored for any longer than is necessary for the purposes for which it is processed. This means that organisations will need to establish - and implement - data retention policies. This principle does highlight, though, that such data should not be "kept in a form which permits identification" of individuals, which means that if an organisation can genuinely anonymise the personal data, this principle will not apply.
Anonymous data, by its nature, is not personal data as it does not identify an individual. If an organisation is considering anonymisation (being the permanent modification of personal data in order to prevent re-identification of individuals) then such organisation should assess the risk of re-identification of the individuals, taking into account available technology. The organisation will continue to be responsible for safeguarding such data.
The process of anonymising data, however, involves further processing of personal data, so an organisation must ensure that any such anonymisation is compatible with the original purpose of processing personal data. If it is not compatible, then the organisation must ensure that there is another lawful basis of processing the personal data, which must be communicated to the individual in accordance with the principle of lawfulness, fairness and transparency.
For our guide on how to tackle GDPR see - Welcome to GDPR - How to tackle the changes in 10 steps. See also our webpage with additional information - Data Protection and GDPR.
Information on the Data Protection Bill, GDPR and specifically for small organisations is also available from the Information Commissioner's Office website.
