What Is Data Minimisation? Collecting Less, Proving More
Data minimization means holding only what you need. A plain guide to GDPR Article 5(1)(c), the honeypot risk, and how to minimise data and still act on it.
Niels van den Bergh
CEO
July 16, 2026

Introduction
Every system you build creates an appetite for data. More fields mean more context, more context means better decisions, and so the form grows. The reflex is understandable: collect now, work out what you need later. But every byte you hold is a byte you must secure, justify, and one day explain to someone who may not be sympathetic. Data minimisation is the discipline that interrupts that reflex at the design stage, before the habit hardens into architecture.
What is data minimisation?
Data minimisation is the principle that an organisation should collect only the personal data it actually needs for a defined purpose, nothing beyond it, and nothing held speculatively in case it becomes useful later.
The phrase "just in case" is the tell. A form that asks for a date of birth when only age-eligibility matters is collecting more than the purpose requires. A system that logs full IP addresses when only country-level routing is needed does the same. Neither extra field adds capability; both add liability.
The practical discipline is to start from purpose and work backwards. Define what the process is meant to achieve. Identify the minimum data required to achieve it. Collect that, and only that. This sounds obvious. In practice, it runs against every instinct of a development team building for flexibility, and against every commercial instinct to accumulate data as a future asset.
Data minimisation does not mean collecting nothing. It means collecting precisely. The distinction matters, because the goal is to remain operational, not to become blind.
This is also why data minimisation belongs in architecture, not only in a privacy policy. If a system is designed so that every downstream team receives a copy of the source record, no privacy notice can repair that. If it is designed to move only the necessary fact, the policy finally has something real to describe.
What the GDPR says: Article 5(1)(c)
The General Data Protection Regulation makes data minimisation a legal obligation rather than a design virtue. Article 5(1)(c) states that personal data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation')".
Three words carry the load.
Adequate means the data collected must be sufficient for the stated purpose. You cannot collect so little that the process fails, then claim data minimisation as cover.
Relevant means the data must have a genuine connection to the purpose. Collecting lifestyle data to verify an address is not relevant; it falls outside the scope of what the purpose requires.
Limited means no broader than necessary. Once you have met the adequate-and-relevant bar, you stop. There is no legal space for speculative collection beyond it.
The GDPR's necessity logic, set out in its recitals, adds a companion condition: personal data should be processed only if the purpose could not reasonably be fulfilled by other means. Article 25 turns that logic into an engineering obligation, data protection by design and by default, and Article 5(2) adds the accountability duty: you must be able to demonstrate compliance, not merely assert it. This is the harder question. It moves organisations past "is this data necessary?" to a tougher one: could we achieve the same outcome without it? That question often has an answer. Organisations rarely ask it.
For an architect, that question becomes concrete. Could the system return a yes or no instead of the full record? Could it accept a signed assertion instead of a document copy? Could it run a query where the data already sits, rather than pulling a copy back? Each of those is a design choice, not a policy statement.
Data minimisation sits alongside two sibling principles in Article 5. Purpose limitation governs what collected data can be used for. Storage limitation governs how long it can be kept. Together, the three principles describe a timeline: minimise what enters, constrain how it is used, limit how long it stays.
The honeypot argument: what you don't collect can't leak
Compliance is one reason to minimise data. Security is another, and arguably more concrete.
Every data store is a target. The larger the store, the larger the target. A database that holds full customer records, browsing histories, and inferred attributes attracts more risk than one that holds only the fields a transaction required. That is not a matter of probability; it is a matter of consequence when something goes wrong.
Data you never held cannot be stolen. It cannot be subpoenaed. It cannot be mis-shared in a process that travels further than intended. It cannot become the next incident that requires a breach notification, a regulator's investigation, and a public statement. The absence of data is a security control, not a gap.
Every data store that does not exist is an attack surface that does not exist. The honeypot argument is this: you cannot lose what you never had.
The reputational dimension follows the same logic. For government and regulated sectors the consequences are rarely only technical: a breach or mis-share can damage public confidence, trigger regulatory scrutiny, and affect vulnerable people. Minimising collection reduces the blast radius before any incident occurs. That is risk management, and it happens before compliance is ever tested.
Aggressive data minimisation, and still able to act
The false choice here is: collect everything to remain useful, or collect nothing and become blind. Neither position is real, but the bind is. Organisations that take minimisation seriously face a genuine question: how do you make decisions, verify facts, and demonstrate compliance when you are holding less data?
Three mechanisms break the apparent trade-off.
Share patterns, not data. In many analytical contexts, what a decision requires is a signal, not a record. Whether a population exhibits a behaviour matters; which specific individuals drove the pattern often does not. A transport authority can understand congestion without identifying every traveller. Aggregated analysis can satisfy the operational need without transferring personal records. The findings can be shared while the underlying records stay in place.
Prove a fact without disclosing the record behind it. Consider age verification. The decision to be made is binary: is this person eligible or not? The record behind that decision, the full date of birth, identity document details, and associated fields, does not need to travel to reach a yes or no. The answer can be issued without the evidence that produced it. The decision-maker learns only what they needed.
Leave the data at the source. Where verification or analysis can be performed close to where the data already lives, the data does not need to move. A system that checks a record and returns a result, rather than one that requests a copy of the record to check itself, handles less personal data in transit and in storage. This model fits public sector and regulated workflows, where authority already sits somewhere. The computation runs where the record already lives, so nothing is copied out.
These mechanisms make the earlier principle concrete: design for the minimum necessary transfer at each step. That is a different problem, and a soluble one. Pilots in regulated sectors have begun demonstrating exactly this: eligibility checks that return a decision without exposing the underlying record, pattern analyses that share findings without sharing the individuals behind them.
Data minimisation vs purpose limitation vs storage limitation
The three principles are related but distinct. Confusing them produces gaps.
Data minimisation operates at the front door. It governs what is collected in the first place. A minimisation question is: do we need this field at all? If the answer is no, the field does not enter the system.
Purpose limitation operates in the middle. It governs what collected data can be used for. If a user provided their email address to receive a delivery confirmation, using that address for marketing is a purpose limitation problem, not a data minimisation problem. The data was legitimately collected; the question is whether the new use falls within scope.
Storage limitation operates at the back door. It governs how long data remains in the system once the purpose is fulfilled. Retention periods, deletion schedules, and archiving policies are storage limitation questions.
A concrete case shows the division of labour. Suppose an organisation must confirm that a contractor is authorised to enter a restricted site. Purpose limitation fixes the purpose: site access control. Data minimisation fixes the data: an authorisation status, an expiry date, and an identifier, rather than a full employment file. Storage limitation fixes the retention: access logs kept for a defined security period, not the supporting documents held indefinitely. One scenario, three different questions.
Collecting only necessary data but keeping it indefinitely satisfies minimisation while failing storage limitation. The principles are not interchangeable.
How to implement data minimisation
Implementation starts at design time. Retrofitting minimisation onto an existing system is possible but harder. The practical sequence runs like this.
Start from purpose. Before specifying data fields, write down precisely what the process is meant to achieve. In practice, many systems are designed from the data inward rather than from the purpose outward. Reversing that order surfaces unnecessary fields before they are built in.
Work back to minimum fields. Given the purpose, identify what data is strictly required to achieve it. Question every field that does not have a direct and specific role in the outcome. Attachments deserve particular scrutiny, because one uploaded document often carries far more personal data than the process needs.
Prefer yes/no proof to full record. Where the downstream need is a binary decision, design for a binary answer rather than a full data transfer. Age-eligible: yes. Resident of eligible territory: yes. The downstream system receives the decision while the underlying data stays put.
Prefer reference to copy. Where a record must be checked, prefer a system that checks it in place over one that requests a copy. A reference to a verified fact is less data than the evidence base behind it.
Tier access to match need. Most users need a status, not a full record. Give operational staff the status, case handlers limited detail, and full records only to authorised specialists, with exceptional access logged and reviewed. This is minimisation applied to access, not only to collection.
Set short defaults for retention. The default retention period for any data should be the minimum required for the purpose. Extensions should require active justification, not passive inaction.
Separate identity from transaction where possible. Many processes require proof of eligibility but not persistent identity. Where the transaction does not need to link back to an individual over time, design it so that it does not.
Log access to prove restraint. Demonstrating minimisation to a regulator requires evidence of what was accessed, not just assertions. Access logs that record what fields were queried, by whom, and when give an organisation the ability to show its own behaviour rather than simply describing it.
What data minimisation is not
It is worth naming the common confusions, because they generate false confidence.
Data minimisation does not mean collect nothing. The GDPR's word is "adequate": the data collected must still be sufficient for the purpose. Under-collection that breaks a process is not compliance; it is operational failure, and it can produce unfair exclusions or unsafe decisions just as over-collection produces risk.
Data minimisation is not the same as anonymisation. Anonymisation is a technique applied to data you have already collected. Minimisation is a decision about what to collect in the first place. They can work together, but anonymisation after the fact does not retroactively satisfy a minimisation obligation if the original collection was excessive.
Data minimisation is not a one-off project. Systems change, purposes expand, and new fields are added incrementally. A short form does not help if the back office later imports a full dataset from another system. Minimisation requires review at each change, not a single assessment at initial build.
Data minimisation is not a reason to avoid accountability. Some teams fear that collecting less will leave them unable to prove what happened. That is a design problem, not a justification for over-collecting. A well-designed system keeps a durable, legally binding record of decisions, proofs, and disclosures, showing what was proved, who relied on it, and for which purpose, without storing unnecessary personal data to do so.
And data minimisation, as a principle, does not itself supply the machinery for proving-without-disclosing. The principle sets the goal. It establishes that you should not collect more than you need, and that purposes should be fulfilled by other means where reasonably possible. It does not specify how to produce a yes/no answer without transferring the underlying record. That requires infrastructure. The principle alone cannot supply it.
The missing layer: minimise and still act
The principle is clear. The gap is in the plumbing.
GDPR Article 5 tells an organisation what it should aim for. It does not run the systems that achieve it. For many organisations, the hardest part of data minimisation is not accepting the principle but operationalising the third mechanism: proving a fact without disclosing the record behind it, especially across an organisational boundary.
This is where infrastructure that sits alongside existing systems becomes relevant. mintBlue works in that layer: an additional layer alongside what an organisation already runs, not a replacement for it. The aim is modest and practical. It can help an organisation verify a claim without moving the underlying record, share an answer rather than the data that produced it, and keep a tamper-evident trail of what was proved, to whom, and when. Think of it as a sealed envelope. The recipient opens it and learns one fact they needed. They do not see the document behind the fact. The organisation that issued the proof keeps the underlying data, which never leaves its systems.
None of this requires replacing existing systems. Registers, case systems, and workflow tools remain where they are and keep the authoritative data. The surrounding layer simply helps other parties rely on specific facts, purpose by purpose.
In government and regulated settings, this is usually explored one workflow at a time, as a pilot or proof of concept. The strongest first candidates are the narrow, high-risk flows: document-heavy eligibility checks, licence or certificate verification, cross-organisation status checks, and audit-heavy workflows where proof matters more than content. The question is not whether every system should be rebuilt. It is which data flow can be narrowed first.
What to do next
The practical starting point is narrower than it looks. Pick one process. Map the data it currently collects against its purpose, field by field, and separate what is adequate and relevant from what is held speculatively. Then ask three questions of the flow. Can we share a pattern rather than the underlying data? Can we prove the required fact without disclosing the record behind it? Can the data stay at the source? If the answer to any of them is yes, there is a minimisation opportunity to take.
Minimisation does not require a programme. It requires a discipline applied incrementally, one purpose at a time. Narrow one API response. Replace one document upload with an authoritative assertion. Reduce one standing copy. Nothing needs to be dismantled to begin.