DAT-007 Data Minimisation and Purpose Limitation
Description
Only the minimum personal data required to fulfil a specific, documented purpose is collected and retained. Data is not used for purposes incompatible with those disclosed at collection. Processing purposes are reviewed when product capabilities change.
Rationale
Collecting more data than necessary increases breach impact and creates regulatory exposure. Purpose limitation prevents data from being repurposed in ways that undermine individual rights.
Framework Mappings (6)
| DSP-07 | Data Protection by Design and Default | partial |
| DSP-12 | Limitation of Purpose in Personal Data Processing | full |
| GDPR-Art.5.1b | Purpose Limitation | full |
| GDPR-Art.5.1c | Data Minimisation | full |
| PT-2 | Authority to Process Personally Identifiable Information | partial |
| PT-3 | Personally Identifiable Information Processing Purposes | full |
Evidence (2)
Data minimisation and purpose limitation policy or procedure documenting the requirement to collect only necessary personal data and restrict use to declared purposes.
Example: Data Minimisation Procedure (Confluence), approved by DPO, specifying the privacy-by-design review gate for new data collection fields, the requirement to document collection justification, and the process for reviewing purposes when product capabilities change
Test: Request the data minimisation policy or procedure. Verify: (1) explicitly prohibits collection of personal data without a documented purpose, (2) includes a review or sign-off step when new data fields are added to products, (3) defines the process for reviewing and updating purposes when product features change, (4) is approved by the DPO or equivalent authority within 24 months.
Completed data minimisation reviews or privacy design review records showing that data collection fields were evaluated against necessity for specific product features.
Example: Privacy design review sign-off tickets (Jira) for the last 3 significant product releases — each showing: data fields collected, stated purpose, DPO or privacy engineer sign-off, and outcome (approved / fields removed)
Test: Request design review or privacy sign-off records for the last 3 product releases involving personal data collection changes. Verify: (1) a review was conducted for each release, (2) each review documents which data fields were collected and why, (3) DPO or privacy lead approved each review, (4) at least one example exists where a field was removed or reduced following review.
Questions (2)
Does your organisation have a documented policy or procedure requiring that only the minimum personal data necessary for a specific, documented purpose is collected?
The policy should explicitly prohibit collection of personal data without a documented purpose and require review when product capabilities change. It should be approved by the DPO or equivalent authority.
How does your organisation enforce data minimisation and purpose limitation in practice?
A mandatory review gate in the development process (e.g. a privacy design review ticket) is the most effective control. Selecting multiple overlapping mechanisms indicates a mature programme.