The “data minimisation” principle means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is required to fulfil that purpose.

Variety, volumes, and velocity of data collected.

With the vast volumes of data being collected, there is an ardent need to revisit the data minimisation or clean-the-house component of GDPR. The definition of big data is data that contains greater variety, arriving in increasing volumes and with more velocity. Big data is more extensive and complex, especially from new data sources.

All companies must revisit their data minimisation objectives by asking the following checklist/questions:

  1. Create, collect or store the minimum content (data sets and attributes) needed for valid business purposes. Retain the data only for as long as necessary to serve the intended business purpose.
  2. Retaining data solely for the duration necessary to serve the intended business purpose is imperative. No exceptions.
  3. Reduce backups and copies of the data to the minimum necessary.
  4. Gather the data/information from a third party before assessing the vendor
    1. What is the nature of the service/s provided by the vendor?
    2. What data (attributes) must be shared with the vendor for the third party to provide the service/s?
    3. How long must the third party retain the data? (i.e.) for the duration of the contract or a different specific duration.
    4. Ask the third party to confirm that they have not shared any more than the necessary data with the vendor.
  5. Verify the following with the vendor as part of the assessment:
    1. Is the data received by the third party consistent with what the third party told us?
    2. Does the third party have an inventory of all copies of the data?
    3. Does the third party have a stated purpose for each copy of the data? We may need to validate the purpose/s with our sponsor if any additional copy appears unnecessary.
    4. Are the data retention periods consistent with what our third party told us?
    5. Do not accept any unnecessary data from a third party to provide the contracted services.
  6. Does your current process address and content include the above for achieving the data minimisation objectives with the necessary content to assess and accomplish these objectives?

For additional checklist for larger organisations see : here.

At our monthly global GDPR (generic term for data privacy and data protection) we continue to focus on data minimization issues to ensure that the data is the new black and create competitive advantages by enforcing structured data throughout the organization. Register here.