Data Minimization for GDPR and CPRA

• Data minimization refers to only collecting, processing, and retaining the data that’s necessary to complete a defined task.

• Privacy laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) approach data minimization through the lens of whether the collection and processing is reasonable and proportionate to the stated purpose. 

• Explore this guide to learn what data minimization is, how it's handled under GDPR and CCPA, and how to implement an effective data minimization strategy at your company.

• What is data minimization?

• Data minimization under GDPR

• CPRA data minimization

• Implementing data minimization 

• Data minimization best practices

• Data minimization benefits

Data minimization means only collecting, processing, and retaining the data that’s absolutely necessary to complete a specific task. In the context of privacy laws like the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA), data minimization is defined in part by whether it’s reasonable and proportionate to the task at hand. 

Following the data minimization principle helps businesses think through the purpose behind their data collection processes—helping to minimize unnecessary collection and better protect consumer privacy.

But even beyond privacy laws, data minimization can help businesses to: 

• Determine what data should be collected, processed, and stored

• Reduce privacy risks and compliance burdens

• Reduce the time required to manage a privacy program

• Limit the collection of sensitive personal information 

• Ensure data processing remains within a defined scope

The concept of data minimization can be found as far back as the Fair Information Practice Principles—an eight principle framework on data collection and privacy published by the Organization for Economic Cooperation and Development in 1980. Data minimization is also a key data processing principle in the GDPR, outlined in Article 5. 

But as mentioned above, data minimization is not exclusive to EU regulations. In fact, many other privacy laws, like CPRA, also contain similar requirements regarding this concept.

Below we’ll cover what data minimization means in the context of GDPR, followed by how it’s treated under California’s privacy laws.

Data minimization is one of seven principles the GDPR outlines about processing personal data. GDPR Article 5 states: 

Personal data [collection] shall be… adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

GDPR doesn’t offer specifics on what "adequate, relevant and limited" means exactly—requiring that it be assessed in relation to the purposes of processing. So to determine whether you’re collecting and using the appropriate amount of personal data, you’ll need to consider the why behind the processing, as well as the individual and situational context.

The UK Information Commissioner's Office (ICO) provides several context-driven examples of when a business could be processing too much data.

According to CPRA, businesses may not process data beyond what’s: 

“reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed . . . .”

It also states that businesses: 

“shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary”

The California Privacy Rights Act (CPRA) is one of the most stringent US state privacy laws in terms of data minimization requirements—emphasizing the strict need to limit unnecessary data collection and processing.

In addition to supporting data minimization as a general principle, CPRA restricts data processing to a handful of accepted purposes and requires businesses to delete sensitive consumer data once it’s no longer in use.

To implement data minimization across your business, you’ll need to understand what personal data your company collects, why it’s being collected, how it’s being used, and how long it’s stored. 

Though data mapping isn’t an explicit CPRA requirement, creating a comprehensive data inventory is critical to understanding these data flows. Not only that, but an up-to-date data map can act as a foundation for other key compliance activities.

A critical part of the data minimization process is identifying what personal data you possess, where it lives, who uses it, and how it’s stored. Be sure to conduct this analysis within a specified scope i.e. data relevant to business operations.

To streamline this process, be sure to involve all relevant stakeholders from the beginning, including marketing and sales, security, compliance, IT, and legal. 

Determine and document internal criteria for what “adequate, relevant, and necessary” data collection looks like at your organization. Though it can be difficult to establish protocols based on open-ended language, going through the exercise and documenting your results can go a long way in proving a good faith effort at compliance.

Carefully consider what data your organization actually needs, as well as how it will be handled once collected. Use the questions below as a starting point for these conversations.

1. Is the personal data we collect necessary for processing purposes?

2. Does the personal information we hold fulfill those purposes?

3. Have we recently reviewed the data we hold?

4. Do we delete personal data that's no longer relevant?

Once you have your criteria, be sure to document and then socialize it across your organization. Not only will this give you a strong foundation in case of an audit, it will help to establish a culture of data minimization that extends beyond the privacy team.

Once you have your data map and criteria for data retention, you’ll need to set up and follow a clear data retention schedule. This schedule should specify how long different data types will be stored, as well as a process for deletion. 

Make sure this schedule focuses on prompt deletion of unnecessary information, potentially opting to deploy an automated system that triggers erasure after a predefined period.

Though data minimization can be hard to implement at scale, there are a few best practices that will help ensure the success of your project. 

• Define your purpose of processing as clearly as possible. Everyone, including consumers, team members, and regulators, should be able to easily understand what data is being collected and why.

• Implement data collection processes that are designed to collect non-personal data, or the least amount of personal data as possible.

• When collecting data from consumers, limit the available options to checkboxes or radio buttons, rather than freeform text. This will help you limit the sprawl of unstructured data, which is notoriously difficult to identify, collate, and track.

• Use automated processes, such as machine learning and artificial intelligence (AI), to eliminate unnecessary datapoint before ingesting new data into your company’s tech stack.

To maintain GDPR and CPRA compliance, businesses should strive for data minimization at every level of the org. This entails collecting only necessary data and deleting excess information at specified periods. Aside from legal compliance, this practice also offers several additional benefits: 

• Streamlined privacy law compliance

• Less risk of data breaches due to fewer attack surfaces

• Reduced overhead in terms of storage costs and technology resources

• Improved user trust as a result of better transparency

• Increased agility in business operations thanks to faster access to information

Applying data minimization broadly across your company will provide benefits at every level, but it can be a big project. So start small using the strategy outlined above and see where your efforts take you.

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

• Principle (c): Data minimisation

• The CPRA Digest: Data minimization

• Why data minimization can help you