Skip to content
Step 1 /
hub The essentials

The four rules of the GDPR

The GDPR is about one thing: personal data. Around it, it sets out four core rules. In this module and the next two, we work through them one by one. We start with data minimisation.

group Personal data
  1. 1 Data minimisation this module
  2. 2 Transparency
  3. 3 Security
  4. 4 Rights of data subjects
flag Introduction

Data minimisation

The first of the four core rules. The idea is simple: collect as little data as possible. Less data means less risk, for your business and for the data subjects.

target What you will learn in this module
  • check_circle What 'strictly necessary' means
  • check_circle Why every use needs a business purpose and a lawful basis
  • check_circle How to apply this practically in your own business
menu_book Theory · 1 of 3

Use only what is strictly necessary

You may only collect personal data that is strictly necessary for the intended business purpose. Less data means less risk for all parties.

target Tied to a business purpose

Every business process that uses personal data must have a documented business purpose. Example: the invoicing process uses payment details to be able to collect a payment. That stops data being gathered without a specific purpose.

menu_book Theory · 2 of 3

Underpinned by a lawful basis

Every use of personal data also needs a valid GDPR lawful basis The legal basis you rely on for a processing activity. The GDPR provides six in total; for SMEs these are the four most common. The 6 lawful bases explainedarrow_forward . The four most common:

  • Contract: necessary to perform your contract with the customer.
  • Legal obligation: the law requires you to keep the data.
  • Consent from the data subject: freely given, and equally free to withdraw.
  • Legitimate interests: e.g. promoting similar products. Not valid for special category data.
menu_book Theory · 3 of 3

In practice: how to approach it

  • Make an inventory of all business processes that use personal data and their purpose.
  • Confirm you only use data that is strictly necessary.
  • Check whether each use has a lawful basis.
  • Talk to your software supplier about removing unnecessary fields from the screen.
info Remember

Are you collecting data “just in case”? Then you probably lack both a purpose and a lawful basis.

cases Example · 1 of 2

One loyalty card, two processes

You want to give regular customers a discount after 10 purchases, and you also want to wish customers a happy birthday.

Process 1 Rewarding regular customers with a discount

Purpose: granting a loyalty discount based on purchases.

check_circle Strictly necessary: name, address, and purchase history. Lawful basis: contract; the sales agreement says you get a discount after x purchases.
cases Example · 2 of 2

Same file, different purpose, different process

Process 2 Sending a birthday email

Purpose: sending customers a birthday email.

check_circle Strictly necessary: email, name, and birthday (e.g. 5 May). The birth year is not necessary and should not be collected. Lawful basis: consent or legitimate interests, with an opt-out in the email.

A birthday email like this is a form of Direct marketing Commercial or promotional messages aimed at a person: newsletters, promotions, birthday emails … For this you need a valid lawful basis (consent or legitimate interests) and the recipient must always be able to opt out easily. Direct marketing and the GDPRarrow_forward .

quiz Practice · question 1 of 2
info Not for points, choose the correct answer to continue
"Your software offers a 'gender' field on the loyalty card, but you do not need it for anything. What does data minimisation say?"
Correct: if there is no purpose and no lawful basis, do not collect the data. Ask your software supplier to remove unnecessary fields.
quiz Practice · question 2 of 2
"What is true about consent as a lawful basis?"
Correct: consent must be freely given and must be equally free to withdraw. If it is not, the consent is not valid.
summarize Summary

What you take away from module 3

  • bolt Collect as little as possible: only data that is strictly necessary for the purpose.
  • bolt Every process involving personal data has a documented business purpose.
  • bolt Every use relies on a valid lawful basis (contract, legal obligation, consent, or legitimate interests).
  • bolt Consent must be freely given and freely withdrawable; legitimate interests does not apply to special category data.
workspace_premium Module complete

Module 3 complete 🎉

You now know what data minimisation means and how purpose and lawful basis fit together. In module 4 we look at the second rule: transparency.

lock_open 3 of 8 modules

On your way to your “GDPR essentials for SMEs” certificate

Complete all 8 modules and pass the final exam (at least 70%) to receive a personal certificate in your name, with a verifiable code.

check_circle Modules 1-3 completeradio_button_unchecked Modules 4-8radio_button_unchecked Final exam ≥ 70%
workspace_premium