Data minimization is one of the chief principles of the European Union’s General Data Protection Regulation (GDPR) which states that data processing should only use as much data as is required to complete as assigned task.

It goes on to say that data collected for one purpose may not be repurposed and used for a different purpose.

The legal requirements of Data Minimization are stated in Article 5 (e) of the GDPR. It states “personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. There are some circumstances where personal data may be stored for longer periods (e.g. archiving purposes in the public interest, scientific or historical research purposes).”

Recital 39 of the GDPR states that: “the period for which the personal data is stored should be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records (referred to as erasure in the GDPR) or for a periodic review.”

In other words organizations must make sure personal data is properly disposed of when it is no longer required for the purpose that it was gathered for. By doing so the risk of it will becoming inaccurate, out of date or irrelevant is reduced.

What to Review to Achieve Data Minimization

In order to achieve this you should review that the data that you are gathering to ensure that it is:

Adequate: The data that you are gathering is what you require in order to fulfil your stated purpose.

The data that you are gathering is what you require in order to fulfil your stated purpose. Relevant: The data that you are gathering has an obvious link to your target and this can be displayed upon review.

The data that you are gathering has an obvious link to your target and this can be displayed upon review. Limited: Only the necessary data will be gathered. No additional data that is no required will be gathered and held. – you do not hold more than you need for that purpose.

For criminal offence or special category data it is vital to ensure you collect and keep only the minimum amount of data possible.

This could be considered on an individual case basis, giving particular consideration to any specific factors. This could be part of an objection, request for rectification of incomplete data, or request for erasure of unnecessary data.

Data Minimization Checklist