The General Data Protection Regulation (GDPR) is transforming the way organizations and European Union citizens think about their personal data. When the GDPR takes effect on May 25, 2018, EU citizens will gain greater control, privacy, and security over their personal data. The GDPR introduces some new requirements and reinforces a few common principles that shape how organizations collect and process personal data from EU citizens. One of the key components to the GDPR, that is not necessarily new, is the idea of data minimization. In this post we are going to take a more in depth look at data minimization and how it can impact different areas of your organization. If you are interested in a different area of GDPR, below is a list of the blog posts that cover different components in detail:
- GDPR (General Data Protection Regulation) & JumpCloud
- GDPR: Privacy and Security by Design
- GDPR: Breach Notification
- GDPR: Data Minimization
- GDPR: Data Protection Officer
- GDPR: Mandatory Privacy Impact Assessments
- GDPR: Right to Erasure and Data Portability
Additionally, if you are unfamiliar with the GDPR terminology, consider referring to this definition page in the GDPR.
Data minimization is the idea that controllers and processors use the minimum amount of data needed to successfully complete their task (GDPR Art. 5). When thinking about how to comply with data minimization, it is important to consider the duration for storing data, and the processes, software, and systems used in your organization. For example, if controllers only need addresses from data subjects for a project that lasts three months, that data should be erased once that project is completed in three months.
Data minimization is also important to take into account for auditing and logging aspects of a business. It’s important to take note of what kind of information you’re collecting, what information is actually necessary, why it’s necessary, and to discard any irrelevant data (Dataguise). For some controllers and processors, it might have been common practice to hold on to to irrelevant data in case it may be needed in the future; however, this practice should be abandoned because it is the opposite of data minimization and doesn’t comply with the GDPR. Whether it’s your data collection team or your security team, it’s crucial to examine your processes and systems that are involved with collecting or interacting with personal data.
So how does JumpCloud approach data minimization?
Data Minimization with JumpCloud
JumpCloud only collects and processes data that is needed to provide an optimal experience on our website and that which is needed for our Directory-as-a-Service® to function. From our website, we collect cookies and IP addresses to create a personalized experience. To use our service, customers may be required to provide pieces of personal data such as a name, email address, and company information. The personal data that we ask for is essential to our service. If a customer does not wish to provide this information, they can decline to use JumpCloud’s directory services and ask us to delete any personal data we may have collected. Within our cloud-based directory services, customers (our data subjects) have the option to enter personal data such as phone numbers and addresses. If the customer chooses to have end users enter this data, the customer becomes the controller over this data and JumpCloud becomes the sub-processor. This set of data is completely in the control of the customer. The customer can add, delete, or modify this data however they see fit. JumpCloud does not utilize this user generated content other than to be displayed in the UI and at the customer’s direction. Privacy and security are central to JumpCloud’s Directory-as-a-Service, and we will be GDPR compliant by May 25, 2018.
For more information on JumpCloud’s GDPR compliance, drop us a note. You’re also encouraged to explore all of our identity management capabilities by signing up for a free account. Your first ten users are free forever.