The data minimization principle in the GDPR
In business, it is often said that, in case of doubt, it is better to collect and store more information than necessary from a customer because the additional information could be useful at some point. However, it is often overlooked that the vast majority of this additional information is never used and that the actual useful information is more difficult to find among the usually quite extensive data collections.
In addition, extensive data collection requires corresponding resources, e.g. working time and money. Irrespective of this, it regularly violates the so-called data minimization principle of the GDPR.
What is data minimization and how can you implement the requirements of the GDPR?
Importance of the data minimization principle under the GDPR
Definition of the data minimization principle
Article 5 of the General Data Protection Regulation (GDPR) lists the main basic principles of data protection that must be observed when processing personal data This includes data minimization, often referred to as "data minimization".
As part of the data minimization requirements, the GDPR stipulates that personal data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed". This means that the following requirements should be observed:
The collection of the data must be suitable for fulfilling the specified purposes of the processing. When registering for a newsletter, for example, the collection of the data subject's address is not suitable for fulfilling the purpose (sending digital newsletters by email) and may not be collected for this purpose when registering for an e-newsletter. The situation is different when registering to receive a monthly product catalog that is sent by post.
However, the fact that the collection of a certain type of data is appropriate to achieve the purpose of the processing is not in itself sufficient. The data minimization principle also requires that this collection is also necessary because the purpose of the processing cannot be achieved otherwise. An example: The collection of biometric data as part of a fingerprint check at the entrance to a building has the purpose of preventing unauthorized access. However, it would also be possible to use the fingerprint check to record the working hours of employees in Germany. However, this purpose can be fulfilled (without the use of special categories of data) using a time clock or separate software, for example - both of which should be milder means than the processing of special categories of data (biometric data).
The fact that the collection of certain data is suitable and necessary to achieve the purpose is not always sufficient. The context in which the data is processed also plays a role. For example, a geolocation system may be installed on a truck for the purpose of effective route planning, but it may only be active during the driver's working hours. Another example is video surveillance. It can be used for the purpose of building security and theft prevention. However, cameras may only be used in certain areas: e.g. at the entrance to the building, but not in the changing room.
Is data minimization good or bad for you as a company?
For many, data minimization initially only appears to be good for the people whose data is processed ("data subjects": customers, website visitors, etc.) and is usually seen by the entrepreneur as a limitation of their options for action within the scope of their activities. Data minimization or data economy is also in the interest of companies. Apart from avoiding possible sanctions, including fines for data protection violations, not retaining data makes it easier to find useful data. By freeing up space for data storage, you can also save resources.
The creation and review of the record of processing activities is a good opportunity to tidy up the processes you use and the data you store. Superfluous procedures are eliminated. Data whose processing you cannot justify will be deleted. Apart from data that you have stored, this also applies to data that you can no longer identify. For example, if you have contact details of people but no longer know who they are or in what context the data was collected, this is a sign that this data should no longer be stored.
It is important to understand here that data minimization does not mean a ban on the collection of certain data, but only that you must have a justification for its collection and processing as a whole.
In addition, data minimization is increasingly important for customer trust. If customers realize that "tricks" are being used to learn more about them than what is necessary, they may decide not to continue working with the company.
What rights does a data subject have if the data minimization principle is disregarded?
Data subjects have all the rights set out in Chapter III and Article 77 of the GDPR. In particular, they have the right to erasure of the data if it is not necessary to achieve the purpose of the processing.
What is the maximum length of time you can store data?
At some point, data must also be deleted, namely when there is no longer a need or obligation to retain it. The specific retention periods depend heavily on the context of the data processing. The creation and implementation of a deletion concept is therefore highly recommended. In a very simplified manner, the existing data is categorized and provided with deadlines in terms of necessity; in particular, the statutory and industry-standard retention periods must be observed. As part of the concept, the retention periods for different categories of data that are stored together are harmonized and a common deadline is set for these. However, a time limit alone is not sufficient, as it must also be determined when this period begins. For example, it could be specified that the period for deleting a customer file begins as soon as there has been no further contact with the customer for three years.
How do you ensure data minimization?
What question do you need to ask yourself?
For each data processing operation, you must ask yourself which data is required to achieve the purpose. All other data ("data retention") cannot be processed within this framework, or a separate permission standard/legal basis must be used for this (e.g. consent).
Transparency is also very important. Do not hide references to data processing in long contract texts or make the conclusion of the contract dependent on the submission of consent to other processing. For example, you should only mark as mandatory fields in a form those fields that are necessary to achieve the purpose of the main processing.
Another example: As a rule, you do not need information about whether a customer has children or when they were on vacation for the purpose of performing a contract. This information can therefore not be processed on the basis of Article 6(2)(b) of the GDPR ("performance of a contract"). However, as a seller, you naturally have a legitimate interest in creating a basis of trust with the customer and exchange some private information for this purpose. This information can be processed on the basis of the customer's consent for the purpose of good customer relations. However, you should be the only person who has access to this information; the elements must not be entered in a CRM, for example. If another salesperson takes over the customer, you may not pass on this information.
Data protection-friendly default settings as implementation of the data minimization principle
The data minimization principle overlaps with the principle of data protection-friendly default settings (privacy by design), which is listed in Art. 25 para. 2 GDPR.
This principle states that appropriate technical and organizational measures must ensure that, by default, only personal data whose processing is necessary for the respective specific processing purpose is processed. The principle concerns, among other things, the means that must actually be implemented so that the data minimization principle is observed. For example, optional fields and mandatory fields in a form must be easily distinguishable from each other for the customer.
In addition to data protection-friendly default settings that implement the data minimization principle, we recommend that you avoid free-form input fields on forms and prefer drop-down selection options or checkboxes if they are not contact forms and where only certain data is required. If people do not know what to enter, there is a risk that they will provide information that is unnecessary for processing.
As a second example, we would like to mention the issue of comment fields in files maintained by your employees. Supervisory authorities have, for example, imposed fines because call center employees had entered very precise information about customers (about their health, etc.) that was not relevant to the purpose of processing, sometimes even containing offensive remarks, in comment fields in the CRM system. Apart from the necessary data protection training of your employees, we recommend that you set up a warning banner for the use of such comment fields, or restrict the entries using drop-down menus.
Conclusion: how can you successfully implement a data minimization initiative?
You must assess all the personal data you have in your database by asking yourself for each processing operation whether the data being collected is in line with this principle. Then you must check whether the unnecessary data collected may be processed in a different context. Finally, you must delete the data for which no framework can be found and you may no longer collect this data in the future.
The collection of information for the record of processing activities should actually give you many elements that allow you to get a picture of the state of your organization in terms of the data minimization principle.
How can 2B Advice help you implement the data minimization principle?
We can help you determine when data is necessary for processing and advise on alternative frameworks for processing the additional data where this is possible. As a rule, we carry out this work in the context of creating or updating a register, in the context of external data protection officer mandates or a special assignment for this purpose. In addition, we provide you with advice on the best implementation of data protection-friendly default settings.