When collecting personal data, those responsible must initially answer two questions: What goal do I want to achieve and what data do I need to achieve it?
Although the answer seems simple, it is common for companies to collect more data than they really need. Excess data is usually collected, “just in case”, planning to use them in the future. On other occasions, data is collected for purposes other than those for which the interested parties have been informed. And in any of the previous cases, frequently, the person responsible collects the data without delimiting how long will you keep the data. All of these options are contrary to data protection regulations and therefore, it is essential to know these good practices in personal data protection.
What principles should we take into account?
We talk about the principles of purpose limitation, data minimization and limitation of the retention period.
These principles, guiding in all processing of personal data, oblige those responsible for the treatment to:
- Clearly define what the data will be processed for, after analyzing whether or not they are entitled to do so;
- Inform the interested parties of the purposes clearly and precisely;
- Do not collect more data than necessary;
- Delimit the extent of the treatment and its conservation period.
In turn, these principles are integrated into what is called “data protection by design and by default”, which basically means that the controller must establish a processing configuration that is minimally intrusive: minimum amount of personal data, minimum extension of processing, minimum retention period and minimum accessibility to personal data by people. All of this – by default – that is, without the interested party having to demand it from the person responsible.
And how is this done?
I'm afraid we can't summarize it in one post. But, as a note, the European Data Protection Board focuses on three strategies when implementing data protection by design and by default:
- Optimize: Apply measures in relation to the amount of data collected, the extent of processing, its conservation and accessibility.
- Set up: Find a way to allow the processing to be configurable for the user in relation to personal data through settings available in the applications, devices or systems that implement it. Let's think, for example, about the cookie preferences configuration center or app permissions.
- Restrict: The configuration options must be set, by default, to those values that limit the amount of data collected, the extent of the processing, its conservation and accessibility.
Implementing this principle is a complex task, to delve deeper into the topic the new Default Data Protection Guide from the Spanish Data Protection Agency, as it contains numerous references to previous works that will help you interpret the brief art.25 of the RGPD.
Do you want to specialize in Compliance Management and data protection?
He Master in Compliance & Data Protection Management will make you a highly qualified professional with the necessary skills to carry out specialized tasks in two of the most relevant areas for both private businesses as for public administrations: data protection and regulatory compliance or Compliance.
