An Optimal Approach to GDPR Purpose Limitation

A peek into why adherence to GDPR Purpose Limitation is necessary

Optimal Approach to GDPR Purpose Limitation

The law is more than simply its section, number, or name; it is the manifestation of its affiliated principles. These principles are primarily responsible for determining the dos and don'ts of the law. Hence, understanding the law's principles in their entirety is vital. The same applies to the European Union (EU) 's Global Data Protection Regulation

GDPR, now recognized as one of the world's most stringent data privacy regulations, went into force on May 25, 2018. The legislative framework embodies the guidelines for collecting and processing EU citizen data, with a particular emphasis on protecting personally identifiable information (PII). Though it serves EU individuals, it applies to any business entity anywhere in the world that collects, processes, or is otherwise associated with EU citizen data. And like other laws, GDPR also has principles to guide its abiders. One that stands out, though, is GDPR Purpose Limitation.

Understanding GDPR Purpose Limitation

Article 5(1)(b) of the GDPR outlines the principles of purpose limitation, highlighting the protection and accountability factors that all data processors must follow. GDPR Purpose Limitation emphasizes that the objectives for which personal data should be collected or processed should be clear, unambiguous, and lawful. The data should not be collected or processed for reasons other than the original ones.

There are, however, certain exceptions. Data can be gathered for the objectives of archiving in the public interest, scientific or research, or statistical reasons that do not conflict with the above primary purposes. Noncompliance with the GDPRprinciple can cost companies up to €20 million, or 4% of the total global turnover from the preceding year, whichever is larger as fines. However, the reputational damage that results from noncompliance is even more severe.

Caveat for the Corporations

Any large corporation dealing with customer data may have a multitude of PII, such as their emails, mailing addresses, phone numbers, credit card information, and so on. It may also be sitting on personal information such as browser history, purchase history, chats, etc. Though most GDPR-compliant businesses now handle privacy compliance with prudence, any abuse or mistreatment may be catastrophic.

One such instance occurred when one of the world's major airlines was fined €22 million ($26 million) by a GDPR authority. The airline's systems were breached, impacting 400,000 customers, and hackers obtained log-in information, credit card information, and travelers' names and addresses. The attack may have been avoided, but the airline lacked adequate security procedures to secure its systems, networks, and data.

Saving the Day

Setting up multi-factor authentication and firewalls may have helped the airline significantly. However, that should be accompanied by ensuring that all PII Privacy measures as per GDPR Purpose Limitation standards are in place and data secured. Some basic preventative precautions that the airline could have taken include:


A data-first strategy would have required the airline to identify any PII data that might lead to such a disaster. This would have entailed isolating personal data from the central system and needing additional authentication to access it.


Controlling who gets access to what, where the data is stored, and how it is utilized would have provided an additional degree of protection for consumers' sensitive information. Controlling how each PII is marked and applying remedial procedures per industry-specific data privacy compliance regulations would have also been beneficial.


Compliance with industry-specific standards typically necessitates encrypting sensitive data, deleting data that is no longer needed or obsolete, and encrypting and archiving data as required.

This would have removed a significant quantity of personally identifiable information from the system servers, leaving very little for the attackers. However, executing all this manually is practically unfeasible. As a result, most businesses, like the airline in question, now employ GDPR Compliance software that can be automated to perform such jobs with ease. To know more about how a GDPR solution is helping businesses and GDPR Purpose Limitation, reach out to our experts.

Nikhil Bhardwaj is an MBA graduate from Woxsen University. He has a passion for reading and writing and is an ardent cinephile. His goal is to expand his knowledge and utilize it to broaden his professional horizon.