Skip to main content

Data minimization: provide only the data that are really necessary

Let's delve into the concept of data minimization, a beacon of hope for those wary of spreading their personal data far and wide. As articulated in the GDPR, data minimization emphasizes limiting the collection of personal information to what is directly relevant and necessary for a specific purpose. But what does this mean in practice? And how does it relate to our everyday online interactions, such as buying socks or subscribing to newsletters?

Do you ever wonder why on earth you need to share your birthday when buying a pair of socks online? Is that really necessary to get the purchase swiftly to your home? Don’t think so. How many times did you have to enter your email and full home address before being able to discover shipping costs? Would the shipping costs be different per city, province or region in Belgium? Once you’ve entered your email, you’ll receive a welcome message. And an invitation to sign up for a newsletter, if you're lucky. Cause you might just as well receive it anyway, opt-in or not. Hurray, you’re in another database…

Then why is everybody asking so much information, and by doing so not complying with General Data Protection Regulation (GDPR)? ‘Cause data minimization is clearly defined in the regulation1

Enter marketers, sales execs and over-ambitious business plans. They all would love to send you birthday wishes, including a great discount for your next purchase. They’re all eager to find out where you live and what your email is and preferably as early as possible in the process. 

So it’s tempting to gather as much data as possible when interacting online with a prospect, client or stakeholder: name, gender, address, birthday and email are often asked even before initiating a purchase. 

The sole purpose is to retrieve - and store - as much of your data as possible.

Yves Braeckman

You don’t like that? Neither do we. And you are right not to like it! Treasure your data privacy and enter data minimization. Your beacon of hope if you’re not into spreading your data around. The principle of “data minimization” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specific purpose2. Article 5(1)(c) of GDPR3 says: ‘Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.4

First look at the three words that guide you to best practice data minimization: 

  1. Adequate: what information is sufficient to properly fulfill your stated purpose?

  2. Relevant: does the information you ask have a rational link to that purpose?

  3. Limited: what information is really necessary: hold no more than you need!

Now let’s look at our socks purchase again. Is my birthday a necessary piece of data to get socks to my door? Nope. My birthday is not adequate, nor relevant. That’s two strikes. Third one and you’re out? Here you go: you need to limit data gathering to what you need. Sock vendor, you’re out! 

Data minimization will become even more relevant as part of the Digital Services Act. Active as from 2025, it aims to create a safe digital space with sufficient protection of citizens’ rights. In this act, data minimization plays an important role to ensure a responsible data usage and data governance. Discover more about this act in a post soon.

By Yves Braeckman

As Head of Compliance I work on finding a balace between performing online interactions and respect for privacy in the broadest sense. The goal is to gain stakeholders’ confidence while creating durable digital solutions. Already today - but even more so in the years to come - compliance forms a cornerstone for any online activity.