GDPR: the Data Adequacy and Data Minimisation principle

23 November 2017
Written by Louis Emmanuel Ojuwu

With a background in IT Security, networking and web development and a strong understanding of security policies and rules, Louis is a Services Consultant in the EPI-USE Labs European team. He has been involved in over 30 Data Sync Manager implementations across a wide range of industry sectors, and has recently completed a GDPR certification.

Data Protection GDPR

The Data Protection Act (current law) requires companies to ensure that they only collect the personal data they need for the purposes they have specified. They are also required to ensure that the personal data they collect is sufficient for the purpose for which it was collected.

This is retained with more emphasis as part of the six principles of the General Data Protection Regulation (GDPR) - known as the Data Adequacy and Data minimisation principle (see Article 6 1(c) and Article 5, 1(C) of the GDPR).

Many non-EU organisations collect personal data, and then later decide the purpose for which they wish to use this data. The Directive does not permit this approach, and the GDPR tightens the restrictions further, stating that organisations should not collect data that isn't necessary for a specified purpose that has been notified to data subjects.

Data Minimisation has many different interpretations but this stands out:

Data Minimization has many different interpretations


E
xample: The purpose limitation principle

  1. Organisation A is a reinsurer. It provides services to insurance companies. Over the years it has collected large amounts of personal data relating to insured data subjects. It would now like to combine data from its various customers into a single database, to enable it to price its products more accurately. Can it do this?
  2. Personal data collected for one purpose (e.g. performance of an insurance contract) cannot be used for a new, incompatible purpose (e.g. creating a database of information about insured data subjects to set prices more accurately). Organisation A might be able to achieve its aims by taking additional steps (e.g. obtaining the consent of the affected individuals or by anonymising the data before creating the database - subject to the need to ensure that such anonymisation is, itself, lawful processing of personal data).

Can EPI-USE Labs help with this?

Client Sync™, part of the Data Sync Manager™ suite, allows you to take a time-slice of data (e.g.  'X' months as opposed to using DB copy or SAP full copy process which implies entire Business and Personal data history worth over 5 - 10 years or more). This minimises and reduces organisation data footprint, with only the minimum data needed for testing or business use-cases.

Employee sensitive data can be immediately excluded from Sync in non-production environment when not needed. This gives you as a business more granular control and ownership of the data set copied, thereby further reducing the personal data footprint. 


Don't know where to start with GDPR and SAP? We do!

 

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act SAP data privacy and compliance POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data Sync Manager (DSM) Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP RISE SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data RISE BRIDGE Managed Services Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP Data Processing Agreement SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SAP system refresh SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: