Do your current process address and content include the above for achieving the data minimisation objectives with assessments included necessary range to assess and accomplish these data minimisation objectives?
Non-compliance with general data processing principles continues to be one of the significant reasons for GDPR fines. This article focuses on Data Minimisation as a critical tenet of GDPR and the data subject’s rights. The three determining principles of data Minimisation?
- adequate – sufficient to properly fulfil your stated purpose.
- relevant – has a rational link to that purpose, and.
- Limited to what is necessary – you do not hold more than you need for that purpose.
To start with, identify the data minimisation objectives of your organisation. For example, is it simply compliance with GDPR and other mandates, or is it that you want to clean the house (data) and structure the data for using the volume of data for competitive and related advantages: Do you:
- Create, collect, or store the minimum content (sets and attributes) of the data needed for valid business purposes.
- Reduce copies of the data to the minimum necessary.
- Retain the data only for as long as necessary to serve the intended business purpose.
Gather the data/information from a third party before assessing the vendors for compliance
- Identify the nature of service/s provided by the different vendors and third parties.
- What data (attributes) must be shared with the vendor for the third party to provide the service/s?
- How long is the data required to be retained by the third party? (i.e.) for the duration of the contract or a different specific duration.
- Ask the third party to confirm that they have not shared more than the necessary data with the vendor.
Verify the following with the vendor as part of the assessment:
- Is the data received by the third party consistent with what the third party told us?
- Does the third party have an inventory of all copies of the data?
- Does the third party have a stated purpose for each copy of the data? We may need to validate the purpose/s with our sponsor if any additional copy appears unnecessary.
- Are the data retention periods consistent with what our third party told us?
- Do not accept any data from a third party not needed to provide the contracted services.
Get more information on Data minimisation at the Global Data Protection Day: https://www.copenhagencompliance.com/data-protection-day-2023/