In a world that is pushing big data and trying to gather as much information and intelligence about everyone as possible, data minimisation comes into question. Why do we actually need to collect so much data, and what are we actually using all that data for?
Why does an employer need to know your eye colour, and why is it necessary to have that on your HR file? The answer is: it isn’t. According to GDPR regulations, data should be “adequate, relevant and limited to what is necessary for the purpose it was collected.”
Data processing should only use as much data as is required to successfully accomplish a given task. Data collected for one purpose cannot be repurposed without further consent. From May 2018 it is going to be impossible to be GDPR compliant without implementing data minimisation rules and processes at every step in the data lifecycle.
Companies must limit personal data collection, storage, and usage to what is relevant, and necessary for processing. We should start to see a trend emerge where “less is more”, and you should not be holding personal data on the off chance that it might be useful in the future.
The key thing here is what is necessary for the purpose: employers will not be able to collect personal data because it might be useful, or if no specific purpose for it has been identified. Employers who process vast amounts of data may find this particularly challenging.
Here are some things to consider about where data minimisation applies in a HR context:
- Recruitment – start by reviewing your application form, are all of your questions entirely necessary? Do you actually process the data that you collect? How often do you look at GCSE and A-level grades, and how often is this revisited? When collecting data, ensure that you are asking the questions: is this necessary for processing? Is it reasonable?
- Employee files – do you have a records retention policy in place? Are HR, personnel and line managers aware that records they retain may be disclosable?
In order to prepare your organisation for GDPR, you should conduct a data audit to review and identify what personal and sensitive personal data you have, process and store. This will give you a clear picture of what data you have, who has access to it, where it is and what it is used for, and subsequently why you have it and why you need it.