Data PrivacyBest Practices on Data Minimisation under Data Protection

August 29, 20230
Best Practices on Data Minimisation under Data Protection



Data minimisation is a core principle in data protection frameworks across the globe, including the Digital Personal Data Protection Act,2023, the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) in the United States, and many others. This write up highlights the best practices that have been adopted worldwide for minimizing data collection, storage, and usage, with the aim to inform businesses, policymakers, and consumers on how to effectively implement and benefit from data minimisation strategies.



Collect Only What is Necessary

The cornerstone of data minimisation is to collect only the data needed to achieve the specified objective. Businesses are encouraged to continually review their data collection forms and methods to ensure they are not asking for irrelevant or excessive information.

Time-bound Data Retention

Retaining data indefinitely is considered poor practice. Companies should set and clearly state data retention timelines, after which the data should be either anonymised or securely deleted.

Periodic Audits

Regular audits of data storage and usage can identify outdated or unnecessary data, which can then be removed. It ensures that data minimization is not a one-time activity but a continuous process.

Global Requirements


European Union (GDPR)
  1. Data Protection by Design: GDPR encourages organisations to incorporate data protection into the development of business processes and new systems.
  2. Data Protection Impact Assessments (DPIAs): These are recommended for risky data processing activities to assess how personal data is processed and to evaluate the necessity and proportionality of such processing.
United States (CCPA & HIPAA)
  1. Explicit Consent: The CCPA and Health Insurance Portability and Accountability Act (HIPAA) emphasise getting clear, informed consent before collecting data, specifically detailing what data will be collected and how it will be used.
  2. Data Mapping: Keeping track of how data flows through systems to ensure unnecessary data is not being collected or retained.
Asia-Pacific Region (PDPA &APPI)
  1. Data Breach Notifications: Countries like Singapore (PDPA) and Japan (APPI) require companies to notify authorities and affected individuals in case of data breaches, thereby encouraging companies to practice data minimization to reduce the risk.
  2. Review and Update Policies: Frequent policy reviews are encouraged to keep data minimization strategies up-to-date.
Australia (APP)
  1. De-identification: The Australian Privacy Principles (APP) encourage the use of de-identification for stored data so that the data can’t be used to identify individuals.
  2. Transparency: Clear and accessible privacy policies that explain what data is being collected and why.
India ( DPDPA)
  1. Explicit Consent: The enactment emphasise getting clear, informed consent before collecting data, specifically detailing what data will be collected for which purpose and how it will be used.
  2. Data Protection Impact Assessments (DPIAs): These are recommended for risky data processing activities to assess how personal data is processed, risk and to evaluate the necessity and proportionality of such processing.

Industry-specific Best Practices


Minimum Necessary Rule: Under HIPAA, healthcare providers must make reasonable efforts to use, disclose, and request only the minimum amount of information needed for a particular purpose.


Know Your Customer (KYC): Financial institutions practice data minimisation by collecting only the required information for compliance with regulations like Anti-Money Laundering (AML) and Countering Financing of Terrorism (CFT).


Step-by-Step Information Collection: Information is collected in stages, and only when needed, such as shipping information only being requested at the time of purchase.


Data minimisation is not just a regulatory requirement but a principle that can bring about operational efficiency and build customer trust. Companies worldwide are integrating data minimisation principles into their business practices, evolving in response to both technological advancements and legislative changes.

Adoption of these best practices can offer a competitive edge and also significantly reduce the risk of data breaches and associated penalties.



The following recommendations need to be adopted in your organisation so that

  1. Adapt and align your data minimisation strategies according to international standards and best practices.
  2. Conduct periodic internal and external audits to identify any shortcomings.
  3. Educate staff and stakeholders about the importance of data minimisation and train them in best practices.
  4. Clearly articulate data minimisation practices in your privacy policy and ensure transparency with your customers.
  5. Regularly review and update data minimisation practices to adapt to new technologies, business requirements, and regulatory changes.

By adopting these worldwide best practices, organisations can position themselves as responsible stewards of customer data, thereby gaining trust and reducing both operational and compliance risks.

For any query or feedback, please feel free to get in touch with or

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.


Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.