Data minimisation
Unlock This Video Now for FREE
This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.
Personal data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
This principle is almost identical to the third principle of adequacy in the 1998 data protection act. The difference under GDPR is that you must be able to demonstrate that you have appropriate processes in place to ensure that you only collect and hold the personal data that you need.
It is important to assess the data you are holding and whether or not you actually need it for the purpose of the processing. Only collect the data that you need to fulfil the processing. Remember that holding data you do not need and for longer than necessary is likely to be unlawful and a breach of the data minimisation principle.
If you cannot prove that you have assessed the minimum data that you need, you may also be in breach of the accountability principle.
There is no definition provided for the terms “adequate”, “relevant” or “limited” under GDPR, so make sure that you don’t request information that you do not need. Make a list of the data you process and justify each type to ensure that you really need to process it.