Data Minimisation in Practice: Insights from a Real-World Audit
Data minimisation is one of the foundational principles of data protection laws such as the UK General Data Protection Regulation (GDPR). It dictates that organisations should only collect, store, and process personal data that is adequate, relevant, and limited to what is necessary for a specific purpose. Despite its apparent simplicity, the practical implementation of this principle can be quite challenging. It requires not just awareness but a fundamental rethinking of how data is valued and handled within an organisation.
Our experience during a recent audit of a mid-sized e-commerce company offered valuable insights into the operational realities of data minimisation. The audit, conducted as part of a wider data protection compliance assessment, revealed the nuanced challenges and opportunities in putting this principle into practice. By examining the findings from this real-world scenario, we can explore what effective data minimisation looks like and how organisations can genuinely embed it into their processes.
Initial Observations: Where Things Often Go Wrong
At the outset of our audit, we focused on mapping the lifecycle of personal data within the company. This began with investigations into what data was being collected at various user touchpoints, including website registration, customer service chats, and email marketing sign-ups. What quickly became apparent was the persistence of a ‘collect-it-just-in-case’ mentality.
For example, during customer registration, users were required to provide their full name, date of birth, gender, email address, postal address, and mobile number—even if they were making a simple one-time purchase. There wasn’t a clear justification for collecting some of these data points, particularly the date of birth and gender, which had no demonstrable relevance to the functioning of the service being provided. This is a classic sign of overcollection, and it highlighted an underlying issue: data minimisation wasn’t being consciously practiced; instead, data collection had become habitual.
Further probing revealed this overcollection extended into the company’s internal HR and recruitment processes. Candidate application forms routinely asked for National Insurance numbers, even for early-stage applications where no offer had been made. The company’s rationale was that it would eventually need this information, so better to collect it up front. This rationale illustrates a misconception: just because data might be used eventually does not justify its collection without immediate necessity.
Beyond Compliance: Risk and Resource Implications
While the breach of legal requirements presents a clear compliance risk, the audit revealed other, subtler consequences of poor data minimisation. One of them is increased data management complexity. The company was struggling with an outdated and overly complex customer data platform precisely because it was storing information that it didn’t need. This increased the workload for their IT team, made data portability and access requests more cumbersome, and limited their ability to migrate platforms efficiently.
Storing excessive data also introduces security concerns. The more data a company holds, the greater the potential fallout in the event of a data breach. During the audit, the company acknowledged that several data fields were being retained indefinitely or for longer than objectively necessary. Without a rigorous data retention and deletion policy, these datasets were vulnerable, especially in the absence of robust access controls and monitoring systems.
What’s more, excessive data can damage user trust. Customer surveys revealed that many users weren’t sure why certain details had to be provided or what would be done with them. Some had even abandoned transactions due to the perception that the company was being intrusive. This underscores a vital point: transparency and necessity go hand in hand. If users understand why their data is being collected and can see the logic behind it, they are more likely to provide it willingly and maintain confidence in the organisation.
Steps Towards Functional Data Minimisation
Once we had documented the existing state, the conversation turned to remediation. The company appreciated that data minimisation had not been a priority, partly due to a lack of internal education and partly due to the inertia of legacy systems and processes. With support from senior leadership, we helped initiate a multi-pronged strategy.
First, we worked with key stakeholders to define specific purposes for each data collection point. This included reviewing user flows, interview guides, forms, and software functionalities. Every data field was assessed against the three criteria: adequacy, relevance, and necessity. Where a field could not be clearly justified within a particular purpose, it was flagged for removal.
Secondly, we introduced user-centred design workshops, involving engineers, designers, and marketing teams. The aim was to ensure that new features or campaigns would begin with data minimisation in mind, rather than treating it as an afterthought. These sessions proved powerful: for instance, designers realised that offering a personalised experience did not require knowing a user’s exact age, but only their age range or preference for specific product categories.
Thirdly, we developed a data audit schedule and assigned ownership for each dataset. This included clear criteria and automated prompts for reviewing whether older datasets should be retained, anonymised, or deleted. It also incorporated legal considerations, such as retaining records for tax or contractual obligations, but did so in a selective and controlled manner.
The Role of Technology and Automation
As part of the transformation, the company deployed a data management platform that enabled granular control over data collection and processing. This allowed the team to set collection rules adaptively, such as only requesting certain user data after specific actions had been taken (for example, asking for a date of birth only when age verification was a legal requirement).
These tools also allowed better categorisation of data types—sensitive, identifiable, or behavioural—and the implementation of conditional logic which could automate decisions on what was collected when. Importantly, they could also generate compliance logs and produce instant reports for supervisory authorities in the event of a subject access request or audit.
Automation extended to data deletion. Based on documented retention policies, the system could flag and purge data that had outlived its purpose, reducing the risk of oversights. It also reduced the administrative burden on already-stretched data protection teams, ensuring that governance did not rest solely on manual processes.
Organisational Culture and Behavioural Shift
Despite technology upgrades, the most lasting change came from a shift in organisational culture. Through a series of training programmes, townhall briefings, and cross-functional meetings, data minimisation was repositioned not just as a legal requirement, but as an ethical obligation and an efficiency tool.
Employees began to ask tougher questions: Do we genuinely need this piece of information? Who will use it, and how? What are the risks if it’s misused or leaked? In customer-facing roles, staff became more transparent about why data was being requested and offered alternatives where possible. For example, instead of mandating a phone number for email support enquiries, this was made optional with a clear explanation of its intended use.
This human-centred thinking also permeated product development pipelines. Teams were encouraged to trial ‘data lean’ prototypes, deliberately limiting the amount of personal information collected to match exactly what was needed for an MVP (Minimum Viable Product). This not only helped test user assumptions more quickly but also bolstered security and reduced time to market by simplifying backend architecture.
Insights and Lessons for Wider Application
Our audit findings reaffirmed that data minimisation is not simply about collecting less data; it is about collecting the right data, for the right reasons, and managing it with a clear purpose. It is a balance between operational effectiveness, customer trust, legal compliance, and ethical stewardship.
Several key lessons emerged:
1. Start with purpose. If you can’t clearly define why a piece of data is being collected and how it will be used, you probably shouldn’t be collecting it.
2. Engage your teams. Data minimisation works best when it is embedded in cross-functional processes, not left to the Data Protection Officer alone.
3. Use technology wisely. Tools should serve your minimisation strategy, not be an excuse to hoard. Automate monitoring, deletion, and access controls wherever feasible.
4. Review regularly. Data needs and organisational goals change. A quarterly review of data types and retention policies helps ensure ongoing alignment.
5. Communicate with users. Tell them what you collect, why you collect it, and how it benefits them. Openness builds credibility; opacity breeds mistrust.
Looking Ahead
The principle of data minimisation will become even more vital as organisations increasingly rely on big data, AI, and predictive analytics. The temptation to collect as much information as possible “just in case” will continue to grow. However, our audit experience shows that disciplined and thoughtful data practices are not only achievable but also bring tangible benefits—from reduced risk and operational efficiency to stronger customer loyalty.
Organisations must therefore move beyond compliance checklists and develop a genuine culture of data stewardship. That means respecting the data entrusted to us, using it wisely, and ensuring it serves both organisational and societal good. The road to data minimisation is a journey—iterative, ongoing, and deeply rewarding when done with clarity and care.