In violation of Article 5(1)(c).
We see it a lot. It’s a common reason for a fine. Usually lumped together with a bunch of other Article 5 violations.
So what is it all about.
Article 5(1)(c) of the GDRP is also know as the Data Minimisation principle and states:
(Personal data shall be…)
“(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”
And it’s not limited to the GDPR. Most US privacy laws also contain data minimisation regulation of some sort such such as:
“(c) A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”
And Data Minimisation, as you can see above, usually does not live alone. It’s combined with purpose limitation as well as storage (or retention) limitation.
But first, what is Data Minimisation?
Essentially, it's means to only collect the data needed to run your business - not more.
What does that mean for marketing?
Only collect that data you can action on, that drives decision making.
It means that you need to develop a clear data strategy and fully understand what the purpose of each data point is that you collect.
There has to be a purpose behind every piece of personal data you are collecting.
Why?
Well, it’s hard to practice the principle of Data Minimisation of you don’t understand the purpose of your data nor have a retention strategy.
If you don’t have a purpose for the personal data you collect, then you shouldn’t collect it.
If you don’t have a retention schedule for the personal data you collect, then you should not collect it.
It all comes down to strategy. Needing to have a clear data minimisation strategy is becoming essential if you want to stay compliant.
You should:
only collect what you really need
have a clear purpose to collect it
have a retention schedule defined for each data point
How does this look in real life?
Let’s take a simple eCommerce transaction that requires you to ship the customer a t-shirt.
What do we need?
Name - to know who to ship it to
Address - to know where to ship it
Credit Card Info - to run the payment for the purchase
Retention of data is driven by various elements but in the above case we need to keep all the above information on file for returns, refunds, chargebacks, and tax reasons (depending on country up to 7 years)
Or consider you are asking users to sign up to download a white paper.
What do we need to collect?
We don’t need to collect anything really. We could just let them download the paper. But let’s assume you are using the white paper to expand your email list, then what?
Email - so we can send the email (providing they opt in)
Anything else? - No
You get the point, we only need to collect very little data and the less we collect the less risk there is.
But we also need to grow and build a successful business, part of which is email marketing, building lead sources, re-marketing, etc.
So how do we find a balance as to what to collect and what not?
How can we still grow and honour the data minimisation principle?
Create a data minimisation strategy
Create a strategy that clearly defines:
what data has to be collected
why the data has to be collected
what action will be taken on the data being collected
how the data will affect decision making internally
what functions the data has
how long the data will be stored for
the reason the data is being stored for a certain length (i.e tax, transaction, marketing)
Is Data Minimisation worth it?
100%. I’ve been telling clients for years to only collect the data that they can action on - data that drives decisions. It allows for clarity and reduces the time looking for insights - it's easy to get lost in a table full of useless data.
Here are some additional ways data minimisation can help you:
It helps you determine what data to collect, process, and store (and for how long to store it).
It helps you discover what unnecessary data you are collecting.
It helps expose any risks your data is exposed to while collecting, processing, and storing.
It helps limit the amount of personal data you are collecting.
It helps reduce the risk of a breach by limiting the amount of data you are collecting, processing, and storing.
It helps reduce time spent looking for insights in your larger-than-life data mess.
Data minimisation is not only about privacy, compliance, and reducing risks. It's about making your data more accessible and being able to action on the data you have.