An all time easy advice
Lets reflect on two decades of mass collection of data. Massive amount of data necessarily means inaccurate data. Data storage equals data risk. Data risk equal liabilities. Data breach notification needs a fast response within 72 hours. More sensitive the data stored, higher the liability. We are awaiting the class actions in the UK, Lloyd v Google, several others in the EU and the latest in the US against ClearviewAI. Data breach causes harm and loss of control that call for compensation. Nearly everyday we hear the breaking news of a new data breach. It is no more IF but WHEN data breach occurs. It happens to big organisations as well as small ones.
So in that context, why collecting unnecessary data?
I still hear stories of Data Controllers asking for ID card to respond to a Subject Access Request. Professional Associations, even lawyers, asking for ID card to process documents or key access. I just want to remind of one of the key principals of the GDPR that can keep away from many troubles : DATA MINIMISATION.
Consider personal data as a hot potato.
Do not collect if you don’t necessarily need it. Do not keep it longer than necessary, Do not share it with third parties with whom you’ll become co-controller and therefore liable (Think of all these third parties accessing your visitors data such as Google Analytics or Facebook); Purpose limitation means do not process the personal data for further purposes ; You ought to keep the data accurate, secure and no longer than necessary. Less data you collect and keep, better you are.
Here is an ECJ Advocate General opinion on the validity of consent in the context of the provision of a copy of ID cards required from customers. Why should a telco company need to require to keep ID documents? read more here.
This work is licensed under a Creative Commons Attribution 4.0 International License.