GDPR Requirements: Personal data must be adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing (Article 5 (1c)).
Resulting Challenge: Reduce the amount of data processed and the number of stakeholders. Furthermore, the minimum amount of personal data necessary for processing purposes shall be identified.
Technical Solution Approach: In the design phase of a software system, the data model must be tested and adapted regarding its processing purpose. Changes in the need for certain data as well as regarding certain processing purposes may also arise during operation and evolution of a service. This requires an architecture in which the data model is adaptable.
Checklist:
- Which data structure is minimal and still serves the service requirements for operation?
- Has data (or attributes of data) that is not (any longer) necessary for processing purposes been deleted?