Let's Talk Data Security

GDPR: the Data Adequacy and Data Minimisation principle

Written by Louis Emmanuel Ojuwu | Nov 23, 2017 11:16:57 AM

The Data Protection Act (current law) requires companies to ensure that they only collect the personal data they need for the purposes they have specified. They are also required to ensure that the personal data they collect is sufficient for the purpose for which it was collected.

This is retained with more emphasis as part of the six principles of the General Data Protection Regulation (GDPR) - known as the Data Adequacy and Data minimisation principle (see Article 6 1(c) and Article 5, 1(C) of the GDPR).

Many non-EU organisations collect personal data, and then later decide the purpose for which they wish to use this data. The Directive does not permit this approach, and the GDPR tightens the restrictions further, stating that organisations should not collect data that isn't necessary for a specified purpose that has been notified to data subjects.

Data Minimisation has many different interpretations but this stands out:


E
xample: The purpose limitation principle

  1. Organisation A is a reinsurer. It provides services to insurance companies. Over the years it has collected large amounts of personal data relating to insured data subjects. It would now like to combine data from its various customers into a single database, to enable it to price its products more accurately. Can it do this?
  2. Personal data collected for one purpose (e.g. performance of an insurance contract) cannot be used for a new, incompatible purpose (e.g. creating a database of information about insured data subjects to set prices more accurately). Organisation A might be able to achieve its aims by taking additional steps (e.g. obtaining the consent of the affected individuals or by anonymising the data before creating the database - subject to the need to ensure that such anonymisation is, itself, lawful processing of personal data).

Can EPI-USE Labs help with this?

Client Sync™, part of the Data Sync Manager™ suite, allows you to take a time-slice of data (e.g.  'X' months as opposed to using DB copy or SAP full copy process which implies entire Business and Personal data history worth over 5 - 10 years or more). This minimises and reduces organisation data footprint, with only the minimum data needed for testing or business use-cases.

Employee sensitive data can be immediately excluded from Sync in non-production environment when not needed. This gives you as a business more granular control and ownership of the data set copied, thereby further reducing the personal data footprint.