What does ‘data minimisation’ mean? Simply put, data minimisation is the process of limiting the collection and retention of personal data to what is absolutely necessary. The purpose for processing personal data should be identifed by the data controller. The information collected should be adequate to fulfil that purpose, directly relevant and limited to what is necessary.
UK GDPR Overview
When a entity or person needs to collect personal information to enable their everyday business functions and activities, they must do so in compliance with the United Kingdom General Data Protection Regulation (“UK GDPR“). The Regulation is separated into 99 Articles, each referring to different rules and guidelines surrounding data protection compliance. There are also 173 Recitals to be read in conjunction with the Articles, providing clarifcation and additional guidance.
The UK GDPR takes a risk-based approach, focusing on the principles of ‘Privacy by Design‘ to ensure the current data protection framework meets the requirements of the digital age. Considering a individuals’ privacy from the start of designing systems and processes ensures a high level of protection.
What is Personal Data?
Personal data is defined by the UK GDPR as any information relating to an identified or identifiable natural person (“data subject“). An identifiable natural person is one who can be identified, directly or indirectly. Information can include identifiers such as a name, an identification number, location data, an online identifier or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person.
In addition to standard personal information, the UK GDPR also refers to ‘special category data’. This is personal data that needs a higher degree of protection due to its sensitive nature. Special category data carries the assumption that the information could be used in a negative or discriminatory way towards the person it relates to. Data controllers should carry out Data Protection Impact Assessments to help them assess the impact that processing special catergory personal data could have on the data subject.
UK GDPR Principles
The GDPR principles are the bedrock of the data protection regulations. They set out how personal data should be processed and the actions necessary to ensure compliance with the GDPR. Article 5 of the UK GDPR states that personal data shall be: –
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay (‘accuracy’)
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
In addition to the 6 main Principles, Article 5(2) states that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the UK GDPR principles’ (‘accountability’). This involves summarising the measures and controls in place to protect personal information and mitigate the risks associated with processing.
Many firms with obligations under the UK GDPR ask ‘what does data minimisation mean’?
Limiting what personal data is collected is often straightforward. However, processing activities and personal data requirements vary enormously. Firms need to carry out an information audit when they start processing personal data to ensure they know what information they need for each processing activity.
The 2 keywords when it comes to minimising personal data are ‘relevant and necessary’. A business needs to identify and define what information is relevant to accomplish the specified purpose, and what information is necessary to complete the processing activity effectively. Article 5(1)(c) of the UK GDPR states “personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
Data minimisation means only collecting the personal data that is essential for carrying out the processing activity and only retaining that data for as long as it is necessary to fulfil that purpose.
Only collect what you really need, and only keep it for as long as neeeded!
GDPR Data Protection Policy Templates
Don’t reinvent the wheel when it comes to developing your GDPR data protection policies and controls. With more than 9500 organisations using our documents, you can trust Know Your Compliance Limited to deliver professional, compliant templates every time.
We are one of the UK’s leading providers of GDPR policy templates. Whether you are looking for individual data protection policy templates or a complete suite with our exclusive GDPR Document Toolkit, we have you covered!
- Up to 80 market leading GDPR policies, procedures and templates.
- Including information audit template, 100+ question GDPR checklist and DPIA procedures.
- Microsoft Word & Excel Formats for ease of use and customisation
- Instant download after payment if paying by debit or credit card.
- Fully customisable content and formats with easy corporate branding.
- Buy from a name you can trust and join 9500+ firms who already use us.