DATA MINIMISATION: TO WHOM MUCH PERSONAL DATA IS GIVEN, MUCH IS EXPECTED

"Spiderman, Spiderman, does whatever a spider can."

If the parody tune of the Spiderman movie song is unfamiliar to you as a Nigerian, you might be living under a rock! The song lives rent-free in my head. I particularly love this song because Spiderman was my favourite childhood hero. One of my most memorable quotes in the Spiderman movie was by Uncle Ben (Spiderman's uncle): "With great power comes great responsibility". This quote underscores one of the principles of data protection and privacy that I am going to be discussing today: data minimisation.

Data minimisation is one of the cardinal principles of data protection. It is cited in virtually all, if not all, data protection laws across the globe. It features in the EU's GDPR, and right here at the heart of West Africa, it features in Nigeria's newly passed NDPA.

?

A Scorching Lagos Afternoon Context: An Analogy Filled with Calories

Let me illustrate data minimisation with a scenario. But before I move on, I think I should put out a disclaimer. I can't remember when I last had ice cream. I can count how many times I have bought ice cream in my entire life with the fingers in just one hand. I don't know if people order ice cream. Please forgive my ignorance and just follow my illustration.

Picture yourself on a hot afternoon, as Lagos' sun is brimming with its usual exuberance, you decide to order a cup of ice cream to facilitate the internal cooling of your engines. As you surf the internet for stores that can deliver a cup of ice cream to your location, you eventually find one after 35 minutes of indecisive digital navigation. To purchase, they ask you to create an account with them. Just imagine that as you get to the page to put in your details, you see a field asking you to put in your blood group. Yeah, I know. Your reaction would be: "What?". You would probably show some of your friends and/or colleagues before fleeing from the site.

I concede that my example is a bit exaggerated, but I am sure you have gotten my message. You can go ahead and put in your blood group and consent to the processing of the data you have given the store. However, that store has collected more data than it needs and, therefore, assumes more responsibility than it ordinarily would have. That is why data minimisation is necessary.

?Data minismisation is a fundamental principle of data protection and privacy that involves collecting, processing, and retaining only the minimum amount of personal data necessary for a specific purpose.

Businesses: The Heart of Data Minimisation

The purpose of the principle of data minimisation is, of course, to protect the personal data of natural persons. However, it is one of the principles that is truly data controller/processor centric. Abiding by this principle can shield data controllers/processors from undue liabilities. By limiting data collection to its essential purpose, controllers can strategically mitigate risks while ensuring efficient data handling.

In the scenario above, that ice cream store does not need your blood group to sell you ice cream. The store just needs your name, your address to deliver the ice cream (if the Lagos’ sun has not violated it before it gets to you) and possibly, your payment details. Your blood group is health information that is classified as sensitive data. Sensitive data usually has its own distinct basis for processing. Therefore, the store probably has to exert more resources to ensure your data is safe. Just by collecting their customers' blood group, the store may magically appear on the radar of more hackers than usual.

Embrace the Power of Less

As a business owner or just a customer, you must be wary of the personal data you collect or volunteer. This is particularly important for business owners. As your business grows, your customer base widens, and so does the data pool. While the goal of every business is to increase sales and profitability, compliance with the law and best practices are a no-brainer for that goal. Striking a balance between growth and compliance is crucial. While data may accumulate, adhering to data minimisation curbs liabilities and saves resources, time, and energy expended on protecting data that does not serve any purpose. In fact, just like you fled from that ice cream store, collecting more personal data than necessary may discourage potential customers, leading to revenue loss.

?Conclusion: Adopt a Lean but Effective Data Philosophy

Much like a company with excessive share capital, having more data than required can be counterproductive. To avoid pitfalls, companies should adhere to data minimisation principles, safeguarding only essential information. First, identify the thrust of your business, and then identify the kind of personal data you need to fulfil your business goals. This approach streamlines data protection responsibilities and resources, resulting in a more efficient operation.

?As a business, do not be like that ice cream store. Embrace data minimisation as a business mantra - less is indeed more. Businesses that embrace this philosophy optimise their data management practices, ensuring compliance, mitigating risks, and building a solid foundation for responsible and efficient operations.

Remember, just like Spiderman, with great data comes great responsibility. ???

From your friendly neighbourhood data protection enthusiast