Key Topics Covered

What Is Data Minimization and Why It Matters

Why Over-Collection Happens

How to Determine What Data Is Necessary

Maintaining Data Minimization Throughout the Data Lifecycle

Data Minimization as Enabler

Data minimization principle requires organizations to collect only what is necessary for a clearly defined purpose, as established in the GDPR Article 5(1)(c). 

In assessment contexts, data collection is often driven by legitimate needs, such as ensuring fairness, enabling analysis and supporting accountability, trust, and security. This can create an assumption that collecting more data will strengthen oversight and compliance. However, collecting data beyond what is necessary, increases security risks, governance complexity, and the likelihood of unintended reuse, as noted by the European Union Agency for Cybersecurity and the European Data Protection Board.

This article focuses on a practical question: how organizations can clearly determine what data they actually need to collect.

What Is Data Minimization and Why It Matters

At its core, data minimization means collecting only the data that is directly needed to achieve a specific and clearly defined purpose. In practice, this requires organizations to be deliberate: to know why each data point is collected, how it will be used, and how long it needs to be retained.

For assessment organizations, this principle is particularly important. They process student information that can be personal and sensitive in nature, including identifiers, performance data, accommodations, gender, and sometimes socio-demographic details. This data is often retained over long periods to support analysis, ensure certification and audit requirements. At the same time, these organizations operate under a high level of public accountability, where trust and transparency are essential to their mandate.

Over-collection of data in this context creates tangible risks. Larger datasets increase the potential impact of data breaches and make systems more difficult to secure. It also increases the risk that data may later be used for purposes other than the ones it was originally collected for. In addition, retaining unnecessary data increases compliance obligations and complicates governance. 

Why Over-Collection Happens

In many organizations, collecting more data is the result of practical pressures and operational habits that accumulate over time.

A common driver is the “collect now, decide later” mindset. When systems are designed, it can seem safer to gather additional data in case it becomes useful in the future. However, this approach conflicts with the principle that data collection should be tied to a specific, defined purpose, as required under the GDPR.

Unclear or evolving purposes across departments also contribute to over-collection. Different teams may have overlapping but not fully aligned data needs. When there is no shared understanding of purpose, data fields are gradually added by different teams to meet immediate needs, rather than being defined upfront as part of a clear overall design.

Another factor is the concern that limiting data collection may restrict future analysis. While understandable, this often leads to retaining data that is rarely, if ever, used. Instead, data collection should be limited to what is relevant for current purposes, not hypothetical future use.

Finally, external pressures, such as audits, reporting obligations, or accountability requirements, can encourage organizations to collect and retain more data than strictly necessary. In such cases, data is often kept “just in case” it may be requested later, rather than because it serves an active operational need.

Recognizing these drivers is an important first step: over-collection is often not a failure of intent, but a lack of structured decision-making around what is truly necessary.

How to Determine What Data Is Necessary 

Applying data minimization in practice starts before any data is collected. The key is to introduce simple, structured checks that help to define what is truly necessary from the outset.

A first step is purpose specification, namely clearly defining why the data is being collected. This requires more than a general objective. The purpose should be specific enough to justify each data element. A concise, written purpose statement helps to ensure that data collection remains proportionate and justifiable.

Building on this, data mapping provides a practical way to connect purpose with actual data collection. This involves identifying what data is collected, where it is stored and how it is used across systems. It helps to reveal redundancies, unused data or data collected without a clear purpose.

A useful practical check is the “Would it still work without it?” test. For each data element, organizations should ask whether the processing would still function effectively without it. If the answer is yes, the data is unlikely to be necessary. For example, when administering an assessment, collecting a student’s unique identifier is essential to ensure correct attribution of results. However, collecting additional information, such as detailed socio-economic background, may not be necessary for the delivery and scoring of the assessment, unless it is clearly required for a defined analytical purpose. If the assessment can be conducted and validated without this additional data, it should not be collected by default.

Together, these approaches, namely, clear purpose definition, visibility over data flows, and simple necessity tests, provide a practical framework for deciding what data should be collected, before collection begins.

Maintaining Data Minimization Throughout the Data Lifecycle 

Defining what data to collect is only the first step. To effectively apply data minimization, assessment organizations must also ensure that data remains limited and relevant throughout its lifecycle. 

One key approach is anonymization or de-identification, where personal data is transformed so that individuals can no longer be identified. Where full anonymization is not feasible, reducing the use of direct identifiers can still significantly lower risk. 

Another essential measure is defining and enforcing retention periods. Data should not be kept indefinitely, but only for as long as it serves its original purpose. This aligns with the storage limitation principle under the GDPR. 

In addition, organizations should conduct periodic data reviews and clean-up exercises. Over time, systems tend to accumulate unused or redundant data. Regular reviews help to identify what is no longer needed and ensure it is securely deleted. Reducing stored data is a practical way to lower security risks.

Finally, data minimization should be treated as an ongoing process rather than a one-time decision. Embedding these practices into regular operations helps to ensure that data remains aligned with its original purpose, even as systems and requirements evolve. 

Data Minimization as Enabler 

Data minimization is often perceived as a limitation. In practice, it enables more effective and sustainable data management. By reducing the volume of data collected and retained, organizations lower their exposure to security risks and the potential impact of data breaches. 

At the same time, managing smaller and more focused datasets reduces storage and compliance costs. Minimization also simplifies governance. When each data element has a clear purpose, defined use and retention period, oversight becomes more manageable and decision-making more transparent. This aligns with accountability expectations under the GDPR.  

For assessment organizations in particular, data minimization plays a critical role in maintaining public trust. Demonstrating that student data is handled carefully and only when necessary, reinforces confidence in the integrity of assessment systems. In this sense, data minimization is not about restricting data use, it is about enabling organizations to use data more responsibly and efficiently.

Conclusion

Data minimization is not achieved through a single decision, but through a series of deliberate choices made before and throughout data processing. It starts with a clear understanding of what the principle means in practice, and with recognizing that collecting more data does not automatically lead to better outcomes. In many cases, over-collection is not intentional, but the result of common organizational habits. Addressing these requires a more structured approach to decision-making. 

Practical methods such as clearly defining purposes, mapping data flows, and testing whether a process would still function without certain data points provide a reliable way to determine what is truly necessary. Once data is collected, techniques such as limiting retention, anonymization, and regular data reviews help to ensure that it remains relevant and proportionate. For assessment organizations, these efforts bring clear benefits: reduced risk, simpler governance, and stronger public trust. Data minimization, therefore, is not a constraint, but a way to make data use more focused, defensible, and effective.

About the Author

Jana is an EU-based legal professional specializing in data protection and privacy, with a focus on regulatory compliance. She holds an LL.M. from Stockholm University and is a Certified Information Privacy Professional/Europe (CIPP/E). At Vretta, she supports GDPR compliance and integrates privacy and security principles into the company’s day-to-day operations and digital learning platforms.

Her work centers on making complex legal requirements practical. She enjoys transforming privacy and security into actionable frameworks, helping build a culture where these topics are not just policies, but integral parts of everyday decision-making. 

If you are interested in discussing data protection developments and explore how to strengthen security practices, please feel free to get in touch with Jana Begun at: dpo@vretta.com | LinkedIn

References

1. Regulation (EU) 2016/679 (General Data Protection Regulation), Article 5(1)(c) - Data minimization principle.

2. ENISA, Data Protection Engineering (2015), available on: https://www.enisa.europa.eu/publications/data-protection-engineering; EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, available on: https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-42019-article-25-data-protection-design-and_en?utm.com

3. Supra note 2, Data Protection Engineering - discusses how reducing data volume lowers security risk exposure.

4. Supra note 2, EDPB Guidelines. 

5. Regulation (EU) 2016/679 (General Data Protection Regulation), Article 5(1)(b) - Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

6. Regulation (EU) 2016/679 (General Data Protection Regulation), Article 5(1)(b) - Purpose limitation principle.

7. Article 29 Working Party, Opinion 05/2014 on Anonymisation Techniques, available on: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf

8. Supra note 2, Data Protection Engineering - data minimization as a security measure.