What is data minimization?

Data minimization is a principle outlined in the General Data Protection Regulation (GDPR) that refers to the practice of limiting the collection, storage, and use of personal data to only what is necessary for a specific purpose and for a stipulated time. 

Article 5 of GDPR states that:

“Personal data [collection] shall be… adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).”

Organizations can reduce privacy risks such as data breaches and protect individuals’ privacy rights by implementing data minimisation. To comply with this principle, businesses must determine what data they collect is necessary, obtain consent when collecting data, and regularly review and delete data that is no longer needed.  

You can refer to the UK Information Commissioner’s Office (ICO) examples to determine whether your business is processing excessive personal data.