The following provides examples for technical and organizational measures in support of purpose limitation:
- A precise clear specification of the initial and potentially compatible purposes is a prerequisite for any reasoning about purpose separation.
- Understanding data protection as a process that includes regular reviews during the whole life cycle of the processing activity is important to avoid processing data for incompatible purposes, e.g., due to function creep. Note that regular review is mandated in the context of data protection by design (Art. 25(1) GDPR), data protection impact assessments (Art. 35(11) GDPR) and security (Art. 32(1)(d) GDPR).
- The verification of the compatibility of purposes according to Art. 6(4) can be considered an organizational measure in support of purpose limitation.
- Analysis of how authorized personnel may use personal data for other purposes is another organizational measure. Such an analysis aims at identifying possible motivations, conflicts of interest (such as personnel processing data of relatives and acquaintances), and measures to prevent or mitigate such situations (e.g., the possibility that an employee can signal a conflict of interest for an assigned case and pass it to another employee without conflict of interest).
- Another measure is an analysis of the motivations that external attackers may have to obtain the data for other purposes. This is an important part of risk assessment and a prerequisite for implementing adequate safeguards in support of purpose limitation.
- Any organizational or technical measure to implement separation between distinct processing activities pursued by the same controller are in direct support of purpose limitation.
- Any measure (such as encryption) in support of confidentiality prevents that unauthorized parties use data for illegitimate purposes.
- Any measure to ensure that authorized personnel acts only on instruction and as instructed by the controller (see Art. 29 and 32(4) GDPR) ensures that the processing does not go beyond that necessary to achieve the specified purposes.
- A secondary measure that mitigates the damage after a breach is pseudonymization. The drastically reduced possibility of identifying data subjects and linking to other data sets may in many cases effectively prevent the use of the leaked data for other purposes.
1Another example to prevent conflicts of interest is when a large company processes in offices far from the affected data subjects in order to reduce the probability that employees process data of acquaintances. ↑