<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

Breaking Down the GDPR's Data Protection Principles, Part 2: Purpose Limitation and Data Minimization

Jeff Edwards| May 25 2018

| IT insights, GDPR


As you’ve probably surmised from the glut of “We’ve Updated Our Privacy Statement” emails flooding your inbox, GDPR compliance is upon us.

As of May 25, 2018, the General Data Protection Regulation (GDPR) is in full effect. This means that companies around the world now have to be more careful about the way they handle personal data collected about residents of the EU to ensure the safety and privacy of this information. It also means this the perfect time to continue our series, Breaking Down the GDPR’s Data Protection Principles.

In this series of articles, we’ll explore the seven principles of data protection, how they relate to GDPR, and how you can use these principles to protect your company’s data and ensure compliance with GDPR and other regulatory guidelines.

In the first post, we covered the basics of the GDPR—what it is, what it’s about, and who it affects—as well as the first principle of data protection: the right to fair, lawful, and transparent processing of data. In this post, we’ll continue right where we left off, with principles two and three: purpose limitations and data minimization.

The GDPR Mandates Purpose Limitation of Collected Data

Under the second data protection principle of the GDPR [Article 5, clause 1(b)], it’s mandated that personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” Any further processing of that data should not be “incompatible with the initial purposes.”

Make sure you are compliant with the GDPR. Download this free guide.

In plain English, this means you need a legitimate, lawful purpose for collecting and processing user data—no more scooping up data wholesale just because you can. If you collect data that doesn’t have a specific purpose, you may find yourself out of compliance. Likewise, once you’ve collected and processed data for your purpose, you may not process that data for an unconnected purpose. For example, under the GDPR, data collected for research purposes could not be processed and sold for marketing purposes 

Under the GDPR, personal data is any data which by itself, or when combined with other data that the possessor can likely access, can be used to identify an individual. That means name, phone number, IP address, email… the whole gamut.

In the recent Cambridge Analytica/Facebook scandal, which has brought Mark Zuckerberg to testify in front of members of U.S Congress and the E.U Parliament, it was revealed that British political consulting firm Cambridge Analytica used data collected for research purposes to target millions of Americans and EU citizens for political advertisements during the 2016 election cycle. Under the new restrictions enforced by the GDPR, Cambridge Analytica and Facebook would be subject to hefty fines—up to 4 percent of annual turnaround, worldwide. There is currently no such purpose limitation law on the books in the US.

Businesses Must also Minimize Collected and Stored Data

One of the most significant ways the GDPR is transforming data collection and processing is the principle of data minimization, under section 5, clause 1(c). According to this principle, all collected personal data must be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.”

This is closely related to purpose limitation but differs in that it requires the restriction of which data is stored, as well as the data that is collected. Essentially, in order to be GDPR-compliant, you must implement data minimization processes and rules at every stage of the data lifecycle—from collection to processing, storing, and use. At every point in the process, you should be asking yourself: Do we really need this data? If the answer is no, you should delete the information. This process should be documented with a provable audit trail.

Additionally, data minimization means you need to think about how long you intend to store data for. For example, if you need data for a project that will last seven weeks, you must delete that data when the project is finished, and the data is no longer necessary. Currently, it’s a common practice to hold on to any and all data just in case it may be useful down the road. Be warned: this will not be compliant with GDPR.

In order to stay compliant with GDPR, ask yourself the following questions when collecting data:

  • How will I use this data?
  • Can I achieve my goal without collecting this data?
  • How long will I need to keep this data to achieve my goal?

How MOVEit Can Help You Comply with GDPR Principles Two and Three 

Managed File Transfer Automation

If your business collects, stores, processes or transmits the personal data of EU residents, the General Data Protection Regulation (GDPR) will apply to you.  With this much at stake, the best practice is to assure that the systems, user authentication, and encryption techniques involved in the transmission of personal data are secure and compliant with GDPR.

There are many ways that a reliable Managed File Transfer solution like MOVEit can help keep your company GDPR compliant. 

With MOVEit, you get a form-based solution that provides standardized, secure, and documented data transfer tasks, so you can keep track of where your data is going, who’s using it, and who’s viewing it. This is essential for data minimization, as it lets you have full visibility into your data lifecycle. MOVEit’s comprehensive analytics will give you full insight into file-transfer activities, to assure on-going compliance with the GDPR’s data protection principles. 

MOVEit Secure Managed File Transfer also provides encryption of data in transfer and at rest, data integrity checks, integration with your existing security systems and detailed logs of file transfer activity.

We’ll be back next week with another post on principles four and five, but until then, check out these resources to learn more about GDPR and its implications.

Seven Steps to Compliance with GDPR

File Transfer and the GDPR

Brexit and the GDPR

Financial Services Data Transfers and the GDPR

 And check out this video for a quick overview of the Seven Principles of Data


Topics: IT insights, GDPR

Leave a Reply

Your email address will not be published. Required fields are marked *


Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.