The principle of data minimization means that organizations must only collect and process personal data that is relevant, necessary, and adequate to accomplish the purposes for which it is processed.

The practical implementation of this principle requires applying two concepts: necessity and proportionality to personal data processing.


Necessity:


Organizations must assess whether the personal data collected is suitable and reasonable to accomplish specific purposes. It will be suitable if personal data is necessary to attain the purpose. It will be considered adequate if the nature or amount of personal data is proportionate to the purposes. Verifying whether the specific purpose can be accomplished using anonymous data could be a useful starting point in the data minimization assessment. Organizations must evaluate whether the purpose could be achieved by processing anonymous data stripped of all unique identifiers.


Proportionality: 


Regarding proportionality, organizations should also consider the amount of data to be collected. For example, collecting a large amount of excessive data in relation to the purposes that the organization aims to accomplish and without any restrictions will be considered disproportionate. Therefore, a ‘save-everything’ approach will likely be considered a breach of the data minimization principle.