August 16, 2022

Libelle IT Glossary Part 14: Data minimization according to GDPR: But what does it actually mean?

AuthorMichael Schwenk

The topic GDPR has been relevant for all companies ever since 2018 and it is not possible to imagine data processing and storage processes without it. With the GDPR  law, companies were put under the obligation not only to be responsible in handling personal data, but also to ensure its protection.

Art. 5 GDPR deals with the "principles for the processing of personal data" and in paragraph 1 lit c. of this article the term data minimization can be found.

But what does data minimization actually mean?

Data minimization is one of the principles in the processing of personal data: therefore, the law provides that personal data must be "adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing". (Source: Art. 5 para. 1 lit c.) GDPR)

The basic idea behind the term data minimization is that personal data may only ever be collected if it is absolutely necessary for the purpose in question. The focus here is on the scope of  data and the type and length of processing. If these points are not given, the data may not be collected. (Source)

What are the benefits of data minimization for companies?

What is not collected does not have to be stored and accordingly does not have to be protected or deleted! Sounds strange, but this is how it is! - This is the obvious advantage of data minimization. This section of the law prevents or prohibits the "unnecessary" collection of non-relevant data. The goal is therefore to have only "pure" data records, without, for example, attributes that are not relevant to the data processing process - keyword data garbage.

A look at the practice: GDPR  data minimization example

If we illustrate this with the example of online stores, they may, for example, only collect personal data that is absolutely necessary for the ordering process.

As a user, you can recognize this data by the fact that it is marked as a mandatory field. All other data must be on a voluntary basis  to the customer. As soon as this is not the case and the data is not relevant for the ordering process, there is a data protection violation and the company is liable to prosecution. This is a common example of data minimization as defined by the GDPR.

How can companies implement data minimization?

In general, one should always question if a lot of data is being collected (e.g. through surveys) and whether this list of questions as well as the collection of the data are still GDPR -compliant. In this case, a company must always ask itself the question: "Does the collection already fall under the data minimization law?".

In practice, the following points can help:

✅ Reducing the attributes of the data subjects to be collected

✅ Setting restrictions as default settings - which allow processing of personal data only with the corresponding purpose of use possible

✅ Suppressing data fields with the help of a data mask

✅ Automated procedures and routines for blocking, pseudonymizing and anonymising

✅ Definition and implementation of a deletion concept (Source)

How do companies master the challenge of GDPR-compliant data?

When collecting large amounts of data, the question always arises as to how the project can be reconciled with the principle of data minimization. Here, companies usually rely on anonymization or pseudonymization of personal data. This way, data can be processed without allowing conclusions to be drawn about specific individuals. Thus, personal data is protected and processed in compliance with GDPR.

What stands behind anonymization and pseudonymization is explained in more detail in another blog post. With Libelle DataMasking, Libelle IT Group has developed a solution for the required anonymization and pseudonymization. The solution was designed in order to produce anonymized, logically consistent data on development, test and QA systems across all platforms.

The anonymization methods used deliver realistic, logically correct values that can be used to describe relevant business cases and test them in a meaningful end-to-end manner. Furthermore, developers as well as users are provided with a "clean" database with which they do not have to worry about data protection.

Recommended articles
December 22, 2022 Libelle IT Glossary Part 22: What is DevOps?
December 19, 2022 Anonymized data in the data pipeline

All blog articles