Time to change your personal data diet?

It's the time of year when many people (me included) try to shed off the excesses of Christmas and New Year by eating more healthily. Rather than going on a crash diet, you're encouraged to change your diet in a way that is sustainable in the longer term.

The same is true when it comes to the collection of personal data.

Only eat what you need

First, the personal data you process must be:

adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

This is known as the principle of "data minimisation".

Second, personal data must be:

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

So not only do you have to process the minimum amount of data, you must not keep it longer than you need it. This is known as the principle of "storage limitation".

These are not in theory, complicated: work out why you are processing personal data, make sure what you collect is neither more nor less than you need, and don't keep it for longer than you need it.

I say "in theory", as I see lots of companies struggling with it.

What's the problem?

The problems I see come from two main places:

  1. The company does not know how to comply with the principle of data minimisation. If it does not know how to comply, then it cannot assess whether it is compliant or not, and it can be more easily led astray. Like your new year's diet, if you don't know what "good" looks like, it's much harder to work out what is bad for you.
  2. Some people / teams cannot sate their appetite for personal data, and no-one is there to stop them. This is quite a common trait, in my experience, of marketing teams, and analytics teams. They'll often want as much data as possible, on everyone, just in case, and to keep it forever. And while that's virtually impossible to align with the company's legal obligations, their dire warnings of what would happen if they don't get the data they want are going to be heard loud and strong, especially if there is no clear voice explaining what "good" looks like from a compliance perspective.

"Fair enough, Neil", I hear you say. "How do I know what data I should be keeping, and for how long?"

Work out what you should be eating

The answer is pretty straightforward: you assess your processing activities properly, and keep documentation.

Only by knowing what you are doing, and why you are doing it, can you work out what personal data you need, and for how long you need it.

Ideally, you'd do this before you have started the processing activity in question but, if you've got a legacy of existing processing activities, you probably need to go back through those too.

The core "dieting" questions you want to be asking for every activity involving the processing of personal data are:

  • why are you processing the data?
  • what is the minimum personal data you need for that purpose?
    • you mustn't have more than you need, but you need to have enough to achieve your purpose.
    • for each item of data, ask yourself "what would the impact be if we did not have it?".
  • for how long do you need the data, and how are you going to make sure it is deleted after that period expires?

When you answer these questions, imagine you are trying to justify what you are doing to the regulator, who is investigating you: can you give a clear, reasoned explanation for your answers? If your answers are wishy-washy or unconvincing to you, they're unlikely to sound much better to the regulator.

Keep records, and routinely re-assess your approach

Once you've got your answers, record them in writing, ideally in your record of processing activities (of which, more in a future blog post), along with a note of the date on which you will re-assess them.

Then, make sure you do what you've said you're going to do: keep only what you've said you will, use it only for the purposes you've documented, and get rid of it once the retention period is up. If you need to change things, go through the assessment process again — it's fine to change your mind, but keep records of what you have done, when, and why.

If you've done this, not only are you likely to be better protecting the people whose data you are processing, you're going to be protecting yourself (the less data you have, the less you can lose / leak), and also putting yourself in a better position if the regulator ever comes knocking.

Further reading

You can find the Information Commissioner's guidance on the principle of data minimisation here, and storage limitation here.