You can’t lose what you don’t have. In the event of a data breach or infringement the Data Authorities will look at the data that was breached or violated and if that data should have been available to begin with.
The GDPR & minimization of personal data
One of the principles of data processing is that the personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We call this minimization of personal data.
- You should only collect personal data you actually need for your specified purposes.
- You should have sufficient personal data to properly fulfil those purposes.
- You should periodically review the data you hold, and delete anything you don’t need.
Tips on how to minimize your personal data
- Check the retention periods and set up a process where you delete the data when necessary. Please note that in some cases you may not delete it sooner. Meaning, you must hold it for a certain amount of time too. Don’t just delete everything you have. There are minimum and maximum periods you must or may hold the personal data.
- If there aren’t laws that tell you how long you can store the particular data you aren’t just supposed to make something up that of course is mighty convenient for you. No, you should look at best practices and what the market does, perhaps a similar law. And, then, arguably the most important thing: document (write down) why you have chosen that retention period. For instance, if you chose 4 months. Why did you not choose 3 months or 5? You’ll need to demonstrate your accountability (again referring to F is for Fines and L is for Logging). And some personal advice: don’t think you can outsmart the data authority by quickly creating a document after a data breach occurs. Also, just having the explanation in place isn’t enough if the Data Protection Authority doesn’t agree with you. You must substantiate your chosen retention periods.
- Periodically go through your personal data. This includes e-mails. Oh yes, lovely isn’t it? This is one of the many reasons why an awareness training is useful. It helps you (as a self-employed person) and your staff recognize personal data for what it is. This will manage data sharing and people will know what to delete and what to hold on to. And not just do something.
- Limit data sharing with others. This means, don’t share personal data if you don’t really need to. For instance: you’ve got a job opening and there’s a short-list of applicants. You want the input of a few others who will be working directly with the applicant. 2 important things: 1. Don’t send personal information (black out personal details on resume) and 2. Don’t share via e-mail but rather upload the document to a shared folder with read-only properties. Then, once people have decided you delete the file. This limits the amount of people having the data on their devices.
- Limit data sharing with you. Whether it’s a client that just willingly gives you all their information or whether a colleague shares personal data with you, make sure you limit what you have and keep. If you have an applicant that needs to send you a copy of their ID, it’s best to give them instructions on what information on their ID needs to be visible and to ask them to black out the rest before sending it to you. Tell them you will not accept ID’s that do not meet these requirements. You want to do this, because in the event of a data breach, if it turns out you had personal data that did not comply to the principles of minimization of personal data, you could still receive a fine. Even though you didn’t ask for the information to begin with and someone just threw it in your lap. So, from a CYA standpoint, don’t accept documents or other information that contains personal data you don’t need.
- Use tools to help with your retention policies. There are plenty of tools available that can help you with the retention periods of the data you store. Ask an expert for advice.
- Don’t forget your sent items when you do a clean-up.
- Don’t forget your back-up when you do a clean-up.