Data minimization posits that organizations should only collect the minimum amount of data necessary to accomplish their business purposes. Further, that data should be retained only as long as necessary or required by laws or regulations. From a privacy perspective, organizations must carefully analyze what personal data is collected on their customers, partners, and employees. If the specific personal data does not have demonstrable business use, then the data should not be collected and any collected data should be deleted.
Data minimization is instantiated in GDPR Articles 5, 25, 47 and 89. The CCPA includes the concepts of collection limitation and minimization, while data minimization is also inferred in other regulations such as the Australian Privacy Act. The GDPR states the following on data minimization: “Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).”