GDPR data minimisation & confidential computing

Apr 16, 2021

Confidential computing technology enables businesses to do more, without requiring direct access to personal data. Now that it is possible to operate with less data, isn’t every business required to minimise data collection?

General Data Protection Regulation (GDPR) enacted on the 25th of May 2018 provides individuals greater control over their personal data through policy enforcement, including the principle of data minimisation: only collecting and using data that is absolutely required in order for a business to operate.

GDPR aims to harmonise the data flow of individuals in the European Union and to strengthen the rights citizens have over the personal data which is held and processed by third parties.

As defined in GDPR, the personal data is any data that can be directly or indirectly identified to a natural person, such as name, date of birth, geographical and IP address, information related to the financial, mental and other facts about an individual.

GDPR clarifies eight total rights, with the most important one being the right that empowers the EU citizens to give prior and clear consent for their data to be collected and processed.

According to Article 5 of the European Regulation 679/2016 (GDPR), the principle of “data minimisation” specifies: “the personal data are: … c) adequate, relevant and limited to what is necessary with respect to the purposes for the which are processed (data minimisation).

Main Principles of GDPR:

  • Lawfulness, fairness and transparency

  • Data minimisation

  • Storage limitation

  • Purpose limitation

  • Accuracy

  • Integrity and confidentiality

Any data of an individual or business can be collected by the third party only if the collected data is used for specified, explicit and legitimate purposes. The data has to be adequate, relevant and limited to the purposes for which it was collected.

Moreover, it is essential that personal data is accurate, updated and stored securely, in a form that allows identification of individuals necessary for the purposes.

The processing of “personal data” to be lawful, and therefore permitted, must be limited to the indispensable, pertinent data and limited to what is necessary for the pursuit of the purposes for which they are collected and processed.

Using confidential computing technology, we focus on the 3rd principle of GDPR data minimisation, and utilise personal data for business purpose, while at the same time, we minimise the personal data that is revealed to the third party.

Full report