Amazon’s Jeff Bezos once famously stated that his company never threw away data. Whether true or not, that approach would be forbidden in regions that have data minimization regulatory requirements – the EU is currently the most prominent example of this. Data minimization is a principle which states that processors (businesses) should identify and store only the minimum amount of data needed to fulfill a purpose. In other words, it’s not permissible to gather data first and ask questions about what to do with it later.
There are other storage and operating practices that fall under the umbrella of data minimization. For example, the need to re-obtain consent periodically from users on already-captured data, or the requirement to delete data after a certain time period has elapsed both ladder up to an objective of data minimization. So does an emphasis on tightly-managed Access Control. These are all common features of new data privacy laws like GDPR.
Data minimization has obvious benefits for users – their data is only seen and processed when its necessary – but it can benefit businesses too. It’s not uncommon for a business to find itself drowning in customer data with insufficient resources to categorize, store, and leverage it efficiently. Organizations that incorporate data minimization into their way of working will end up with data operations that are lean and powerful. But because it’s such a foundational feature, going back to retroactively apply data minimization principles to an existing bloated system can be a significant logistical challenge.