It is tempting to see the GDPR as a long, annoying, and sometimes convoluted compliance checkbox. Yet the GDPR is meant to be a model of good data governance rather than a mere laundry list of legal do's and dont's. You can look at each Article, ensure you are compliant, and move on. Or you can look at the Regulation as inspiration for strategies that can be beneficial as well as compliant.
Last week Miloš Novović and Rie Aleksandra Walle touched upon some important rules of good data governance on their awesome Grumpy GDPR podcast, including data minimization. Their discussion inspired us to write about it as well.
We want to show how data minimization can lay the foundations for smart data governance strategies that bring together privacy, compliance, and sound business decisions.
- What is data minimization?
- Can less be more?
- Data is not the new oil, but the new stocks
- How can I minimize my data?
Let's dive in!
What is data minimization?
Article 5(1)(c) GDPR reads: "personal data shall be (...) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed". In a word: you should only collect and process the data you need. This is what data lawyers mean when they talk about data minimization.
Data minimization is one of the core principles of the GDPR and is strictly connected to other principles such as purpose limitation and storage limitation. Data minimization plays a crucial role in compliance, but there are more reasons to take this principle seriously.
Can less be more?
Most companies treat data as an asset: they want as much of it as possible. It's easy to buy into this general attitude and forget that data comes at a cost. Obviously enough, technical costs increase with the volume of data, whether the processing is done in-house or outsourced to a processor.
But operational costs are not the only ones that should be considered. There are high compliance costs for processing personal data. Data controllers are under many obligations: they must respond to requests by the data subjects, take care of cybersecurity and organizational security, and so on. If they rely on a processor, they must also ensure that it complies with the GDPR. None of this is simple, and it gets more expensive and complicated when you process more data.
Compliance costs and risks do not depend purely on the volume of the data: its nature also has a significant impact. As a rule of thumb, the more sensible the data, the higher the costs. Location data is more sensible than contact information, so you must set up more robust security systems to address risks. This is especially true for specific categories of data subject to special protection under the GDPR, such as health data, sexual orientation, and political beliefs. Processing these data types also makes compliance more burdensome for the controller because stricter rules apply.
Finally, the more data you process, the more likely it is that something will go wrong at some point, and the worse your position will be if that happens. Suppose your company is investigated for whatever reason. In that case, the last thing you want is for a data protection authority to find out that you have been processing data you don't really need, as DPAs tend to take the data minimization principle quite seriously. And, of course, storing larger amounts of data means you risk a more significant data breach, which may have severe consequences and draw a lot of unwanted media attention to your company.
Data is not the new oil, but the new stocks
"Data is the new oil" is a commonplace expression by now, but stocks are arguably a better metaphor. Stocks can make you a lot of money or lose you a lot. Successful investors have a clear strategy in mind and are mindful of the risks they take.
Data should be approached with the same mindset. You shouldn't collect data just because you can. You should ask yourself, what goal do I want to accomplish by processing data? What data do I really need in order to accomplish that goal? Is the goal worth the risk? Do I really need all the data I already have, or can I benefit from erasing some?
A data minimization mindset can save you money and compliance headaches, simplify the technical side of your business, and help your company build a reputation for good data governance and privacy-friendliness. Last but not least, it can help build a better Internet where every single communication, click and interaction is no longer tracked out of mindless greed.
How can I minimize my data?
There is no catch-all answer here, but asking yourself the right questions can be a good starting point:
- what personal data do I process?
- for what purpose do I process it?
- do I process it in a way that pursues that purpose?
- how long do I store my data? And how long do I need to store it?
Of course, you are likely processing different types of personal data- for instance, analytics data for your website, contact information for your newsletter, employee data, and payment information from your customers. It is better to think of each of these separately rather than dumping them all together.
The first question is probably the hardest because the definition of personal data under the GDPR is tricky. Personal is more than just information that identifies someone, such as a name or an email. We touched upon this topic not long ago in our GDPR FAQ, but we barely scratched the surface there.
None of the questions are easy and it’s ok if you don’t have all the answers yet. Keeping them in mind can still help you understand your data processing operations better, which is a starting point for minimizing your data. Once you have a somewhat clear picture, you will probably find some opportunities for improvement.
We built Simple Analytics as a response to the privacy-invasiveness of Google Analytics. We believe in an independent web that is friendly to website visitors. If that resonates with you, feel free to give us a try.