Joakim Hvalby
Program Manager Information Security

GDPR tip 1: Don't collect more data than necessary

Do we need all this data to do what we want to do? The fact that GDPR was introduced in 2018 doesn’t mean that all organizations comply with it. An important part of GDPR is not collecting more data than necessary, says Joakim Hvalby, Program Manager Information Security at Junglemap, in one of four tips articles about GDPR.

A big server hall with numerous data servers

Foto: License Free

The guidelines from the responsible authorities are clear: Personal data processed or stored should be "adequate, relevant and not too extensive in relation to the purpose". In plain language, this means that we should never process or store more personal data than is needed.

At the same time, there’s a lot of focus on data-driven development and innovation. And it's not that strange. Properly utilized, we can benefit greatly from analyzing user data to get a better understanding of how our employees, members or residents use our services. But the personal data processed must be clearly linked to the purpose. In other words, it’s not allowed to collect personal data for indeterminate future needs, because they may be "good to have". Or because it's possible. We have to limit ourselves.

IMY, the Swedish Authority for Privacy Protection lists six steps to get a handle on GDPR and the first two steps are important to take on board in this perspective:

Step 1: First think about what you need to do and why
What personal data do you need to use? Why and in what way? Have you planned to do several different things with personal data? Are there any personal data that you don’t want to directly handle but still receive? Deciding on these things before starting actually introducing data into the process, will help limit the data used.

Step 2: Determine purpose before you begin
GDPR requires that you clearly determine the purposes before the processing begins, and that you then only process the personal data for those purposes. It’s called purpose limitation. And again only use the personal data you need. It isn’t allowed to process more personal data than is needed for the purposes you have decided. This is called data minimization and is one of the fundamental principles of the GDPR. Each purpose must also be described specifically and concretely. After five years with GDPR, this is something that we really should know. But often still forget.

We have now launched the 2024 version of Privacy and GDPR for all employees. A brand new course with updated content over fewer lessons, but with more interactive touch points giving your organisation's DPO a better understanding of the level of your organisations' awareness.

To increase engagement and awareness, this new course also focuses on why GDPR and privacy is important both at work – and in your private life. 

Joakim Hvalby Program Manager Information Security
Article   December 14 2022