Check how and where you process data for any unnecessary risks
Assess, what data or assets are not necessary to perform your tasks
The less data you process, the lower the risks
As argued, the data minimization principle may be translated into a pattern ‘the less data the better’. It does not mean processing data is bad or illegal, but it entails certain responsibilities and risks. If data are not processed, there is no liability for them and often this is the best solution.
But as you normally need data in daily work, transform this approach into a great use of the need to know principle. Re-examine, what data you process doing your job and what assets do you use.
Do you process data only when necessary, or create unnecessary risks? Do you store data in one place, perhaps on backup copies, or save it in multiple places, each of different risk? What about your permissions? Can you access personal data that is not relevant for your work? If yes, why does it happen?
The need to know principle is a standard that should be reflected in the content of your authorization to process data, as well as granted accesses and permissions to IT systems, network folders and physical areas. The employer should have properly set you up as a newcomer and carry out an offboarding process when you leave.
The best way to stay safe is not to get involved in unlawful data processing. So always look at data processing from perspective of your needs to perform your duties. This is a great starting point, but does not solve everything. Especially if your company needs you to process data in a doubtful way, for instance carrying out marketing or behavioral analysis without considering data protection requirements.
Table of contents:
Self-implement GDPR in 16 steps: