The topic GDPR has been relevant for all companies ever since 2018 and it is not possible to imagine data processing and storage processes without it. With the GDPR law, companies were put under the obligation not only to be responsible in handling personal data, but also to ensure its protection.
Art. 5 GDPR deals with the "principles for the processing of personal data" and in paragraph 1 lit c. of this article the term data minimization can be found.
Data minimization is one of the principles in the processing of personal data: therefore, the law provides that personal data must be "adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing". (Source: Art. 5 para. 1 lit c.) GDPR)
The basic idea behind the term data minimization is that personal data may only ever be collected if it is absolutely necessary for the purpose in question. The focus here is on the scope of data and the type and length of processing. If these points are not given, the data may not be collected. (Source)
What is not collected does not have to be stored and accordingly does not have to be protected or deleted! Sounds strange, but this is how it is! - This is the obvious advantage of data minimization. This section of the law prevents or prohibits the "unnecessary" collection of non-relevant data. The goal is therefore to have only "pure" data records, without, for example, attributes that are not relevant to the data processing process - keyword data garbage.
If we illustrate this with the example of online stores, they may, for example, only collect personal data that is absolutely necessary for the ordering process.
As a user, you can recognize this data by the fact that it is marked as a mandatory field. All other data must be on a voluntary basis to the customer. As soon as this is not the case and the data is not relevant for the ordering process, there is a data protection violation and the company is liable to prosecution. This is a common example of data minimization as defined by the GDPR.
In general, one should always question if a lot of data is being collected (e.g. through surveys) and whether this list of questions as well as the collection of the data are still GDPR -compliant. In this case, a company must always ask itself the question: "Does the collection already fall under the data minimization law?".
In practice, the following points can help:
✅ Reducing the attributes of the data subjects to be collected
✅ Setting restrictions as default settings - which allow processing of personal data only with the corresponding purpose of use possible
✅ Suppressing data fields with the help of a data mask
✅ Automated procedures and routines for blocking, pseudonymizing and anonymising
✅ Definition and implementation of a deletion concept (Source)
When collecting large amounts of data, the question always arises as to how the project can be reconciled with the principle of data minimization. Here, companies usually rely on anonymization or pseudonymization of personal data. This way, data can be processed without allowing conclusions to be drawn about specific individuals. Thus, personal data is protected and processed in compliance with GDPR.
What stands behind anonymization and pseudonymization is explained in more detail in another blog post. With Libelle DataMasking, Libelle IT Group has developed a solution for the required anonymization and pseudonymization. The solution was designed in order to produce anonymized, logically consistent data on development, test and QA systems across all platforms.
The anonymization methods used deliver realistic, logically correct values that can be used to describe relevant business cases and test them in a meaningful end-to-end manner. Furthermore, developers as well as users are provided with a "clean" database with which they do not have to worry about data protection.