GDPR Article 11 Explained: The Key to Data Minimization
GDPR Article 11 deals with data minimisation principles, which largely limit how data is processed linked to only that which is deemed necessary.
Controllers should delete or obscure any references to the data subject the moment the data is no longer required. When this occurs, controllers also need to obtain further info about the data subject to remain compliant.
If subjects would like to be re-identified, controllers should take this on board and formulate steps to address the request.
It’s important to note that, if the subject is not identified, Article 11 applies in part, but if they data subject requests re-identification, the controller needs to attempt this (unless, by burden of proof, this proves to be impossible).
GDPR Article 11 Legal Text
EU GDPR Version
Processing which does not require identification
- If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
- Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.
UK GDPR Version
Processing which does not require identification
- If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject by the controller, the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
- Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible. In such cases, Articles 15 to 20 shall not apply except where the data subject, for the purpose of exercising his or her rights under those articles, provides additional information enabling his or her identification.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
EU GDPR Article 11 (1) And ISO 27701 Clause 7.4.5
PII De-identification and Deletion at the End of Processing
When PII no longer fulfils a stated purpose, organisations either need to completely destroy the data, or modify it in a way that prevents any form of identification in any way, either internally or externally.
As soon as the organisation established that the PII doesn’t need to be processed at any time in the future, the information should be deleted or amended in a way that makes it impossible for the data subject to be identified
EU GDPR Article 11 (2) And ISO 27701 Clause 7.3.2
Determining Information for PII Principals
Organisations should document the information that PII principals receive, that outlines how PII is processed.
There needs to be set of requirements that govern when information is to be provided, and precisely what that information is, such as:
- The purpose of the PII being collected and processed.
- Contact details.
- How PII was obtained.
- Written requirements (contractual, statutory).
- The process through which consent is removed.
- Data transfers.
- A complaints procedure.
- The internal decision-making process.
- Data retention periods.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
EU GDPR Article 11 (2) And ISO 27701 Clause 7.3.3
Providing Information to PII Principals
Organisations need to outline who the PII controller is, and how data is processed, through ‘clear and accessible’ means that do not inhibit the dissemination of crucial information.
Information should be easy to follow, and set out in layman’s terms so that anyone who reads it is able to understand the nature of what’s being conveyed, along with any technical or operational specifics (see ISO 27701 Clause 7.3.2).
Supporting ISO 27701 Clauses
- ISO 27701 7.3.2
Supporting Controls From ISO 27701
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Article 11 (1) | ISO 27701 7.4.5 | None |
| EU GDPR Article 11 (2) | ISO 27701 7.3.2 | None |
| EU GDPR Article 11 (2) | ISO 27701 7.3.3 | ISO 27701 7.3.2 |
How ISMS.online Helps
Our pre-built environment allows you to describe and demonstrate your approach to protecting your European and UK customer data in a way that seamlessly integrates into your management system.
The ISMS.online platform contains built-in guidance at each step, as well as our ‘Adopt, Adapt, Add’ implementation approach, which reduces the amount of effort required to comply with GDPR. You will also receive a range of time-saving benefits.
Whether you are having trouble getting to GDPR because of a lack of confidence, ability, or motivation to take action, we can help you by providing our in-house experts or by recommending one of our trusted partners.
Find out more by booking a demo.
