Personal data minimization - a GDPR obligation that also serves as a security measure
Why the GDPR Article 5 minimisation principle is also a risk management rule in an ISMS, and how Detecto and Oblivio support it in the context of NIS2, the Polish Cybersecurity Act and DORA.
For the management of key and important entities covered by the amended KSC Act, data minimisation means processing only data that is adequate, relevant and limited to what is necessary for a specific purpose. In practice, this is not merely an item on a GDPR checklist, but a risk management principle for DPOs, CISOs, compliance managers, and IT and cybersecurity directors in medium-sized and large organisations who are responsible for information security and regulatory compliance. This is a matter of perspective. Every record of personal data collected without a clear need is also an asset that must be protected under the Information Security Management System (ISMS) - and thus an additional risk that someone must assess, minimise and document. Therefore, this topic covers not only the obligation arising from the GDPR itself, but also practical principles for limiting the scope of data, the risks associated with data redundancy, and tools for detecting and managing data that help reduce exposure to incidents and data breaches, whilst maintaining compliance with the GDPR, NIS2, KSC and DORA. Minimisation is one of the few areas where legal obligations and the economics of security point in exactly the same direction: less data.
Part 1. What the principle of data minimisation means in practice
Article 5 of the GDPR requires that personal data be "adequate, relevant and limited to what is necessary" in relation to the purposes of processing. The key word is "necessary" in relation to a specific purpose - data minimisation does not operate in isolation from the principle of purpose limitation. It is not about collecting data "just in case": personal data must be adequate, relevant and limited to the specific purpose of the processing. In practice, enforcing this principle relies on several mechanisms that should operate collectively, rather than in isolation: Data mapping and inventory. The record of processing activities should not be a document created once and then archived - it is a tool for systematically asking "why do we need this data field?" during every process review. It is also worth carrying out periodic database audits, regularly reviewing datasets, deleting redundant data, and ensuring that periodic reviews form part of accountable personal data processing. Privacy by design and by default. The assessment of necessity should take place at the design stage of a form, database or integration, not after the fact - default settings should collect the minimum necessary data, and a review of forms should lead to the removal of non-mandatory fields if they are not necessary for the purposes and do not serve to achieve the purpose. For high-risk operations, this same assessment is formalised by a Data Protection Impact Assessment (DPIA), which explicitly verifies whether the scope of data can be narrowed without compromising the business objective. The data controller should also assess whether this objective can be achieved by other means, in a more reasonable manner and with a narrower scope of data collection and processing. Retention policies with automatic expiry. A declaration of a retention period without a mechanism to enforce deletion or anonymisation once that period has elapsed is, in practice, a procedural fiction. Data should not remain in systems for longer than is necessary for data retention. It is advisable to set a deadline for deletion or anonymisation and to apply pseudonymisation wherever possible. The data remains anyway, because no one has the obligation or the tools to delete it. Access control based on the "need-to-know" principle. Data minimisation covers not only collection but also access to data already collected - excessive access falls into the same category of problem as excessive collection. Enforcing these mechanisms requires documenting decisions on necessity - the principle of accountability under Article 5 of the GDPR, which in practice is what the supervisory authority checks first. A breach of the data minimisation principle may result in a heavy financial penalty: it is not the content of the policy that matters, but proof that decisions regarding the scope of data were made with due care. A data minimisation policy set out in the information security management system (ISMS) documentation, but not substantiated in accordance with the principle of data minimisation - i.e. whether the fields in forms and databases still correspond to the declared purposes - is, in practice, a dead letter. A discrepancy between what the system actually stores and what is recorded in the processing activity register is the most common finding during audits, and the easiest to avoid if the review is planned rather than ad hoc or reactive, because a smaller amount of data the company holds also lowers data management costs and helps ensure that the organisation limits risk.
Part 2. Excess data as a risk to the security of personal data protection
From an information security perspective, any set of personal data stored without a legitimate need is an asset subject to risk assessment on the same terms as other information assets. Excess data is not neutral - it generates specific threats and vulnerabilities. Expansion of the attack surface and the scale of an incident. The more personal data within the system's scope, the greater the extent of the breach in the event of a successful ransomware attack or data exfiltration - which directly translates into the level of GDPR fines and reporting obligations to the CSIRT under the KSC Act, particularly when the incident concerns the data of natural persons and requires actions in accordance with the GDPR to safeguard their rights and freedoms. The larger the amount of data a company holds, the more records may be exposed. Data dispersion outside controlled repositories. Form text fields, logs, backups and application archives systematically accumulate personal data that was never intended to end up there - and remain there for much longer than the declared retention period, even after a record has been "deleted" from the production system. Good data management should therefore include regular reviews of data minimization practices to ensure that unnecessary fields and outdated records are removed, which also improves the quality and accuracy of information. The data controller should implement safeguards and appropriate data storage security measures to protect data against unauthorised access and unauthorised use. This is a vulnerability of a particular kind: it is impossible to secure or promptly delete data whose existence the organisation is unaware of. Increased risk of internal misuse. A larger dataset accessible to more people increases the likelihood of unauthorised use, regardless of intent - this is a purely statistical effect, exacerbated by the aforementioned "need-to-know" principle, i.e. restricting access to data solely to authorised persons, whilst maintaining appropriate confidentiality. For instance, if access rights are broader than necessary, processing of personal data may extend beyond the purposes for which the data was collected. Extended exposure window and supply chain risk. Data stored for longer than necessary remains exposed throughout that period, and a combination of seemingly harmless attributes can sometimes be sufficient to re-identify individuals even after pseudonymisation. In addition, organisations should limit how they collect, use and store data so that personal data should remain only as long as needed for which they are processed. Exposure increases further when surplus data is passed on to subcontractors - an area on which the amendment to the KSC Act places particular emphasis in the assessment of risks within the supply chain. Such processing must be managed in a way that ensures it complies with the law and serves to protect personal data, rather than retaining unnecessary data once the purpose has been achieved. Under the general data protection framework and other privacy laws, breaches of the data protection regulation GDPR may lead to fines of up to 20 million euro or 4% of global turnover, whichever is higher.
Minimisation in the personal data processing risk management plan
In ISO 27001 terminology, minimisation is a form of risk reduction achieved by removing an asset, rather than merely adding controls - less data means less risk to manage in the first place. This is complemented by the controls set out in Annex A of the standard, including the deletion of information or data masking. In the risk management plan, these threats - a lack of visibility over redundant data and the absence of a mechanism for its periodic deletion - are addressed by two integrated tools from Wizards' portfolio: Detecto and Oblivio.
**Detecto** (<https://wizards.io/wizards/detecto>) detects personal data and other sensitive data within databases - not in documents or files, which is the scope of a separate product from the same family (Revelio <https://wizards.io/wizards/revelio>). It connects to databases, analyses table structures and data samples, and classifies columns containing sensitive information based on rules, regular expressions, dictionaries and heuristics. From an information security perspective, the key feature is the ability to detect changes to the database schema: Detecto flags the moment when a new table or column needs to be included in the anonymisation process, before it becomes a redundant asset beyond control - it operates either as a one-off scan (preventative scan) or in continuous monitoring mode with incident handling. The result is a map of sensitive data identifying specific tables and columns - in one implementation, it covered over 8,000 tables in a twenty-year-old system belonging to an energy company, which had previously been unable to identify where personal and financial data were located within the database. **Oblivio** (<https://wizards.io/wizards/oblivio>) manages the retention of personal data and the right to be forgotten within IT systems, automating deletion and anonymisation in accordance with retention policies and the requirements of the GDPR, NIS2, KSC and DORA. It configures data sources (databases, file repositories, ERP/CRM/HR systems) and retention rules based on time, business events or external triggers, and then systematically executes the process automatically - either on a scheduled basis or on demand - with full accountability for the operations. This also covers the controller's obligations relating to establishing procedures for the permanent destruction of data and verifying that data is processed in accordance with the principle of data minimisation. Crucially for operational risk, Oblivio also safeguards against incorrect or excessive data deletion, whilst the consistent management of multiple systems with different legal bases eliminates error-prone manual processes that could compromise data integrity in other systems. It integrates with Detecto and Revelio, utilising their findings to locate data subject to retention both within structured databases and in locations outside them.
This combination directly addresses previously identified vulnerabilities: Detecto and Revelio eliminate the lack of visibility into redundant data, whilst Oblivio closes the window of exposure rather than leaving it open despite formally declared retention policies. Such safeguards should have designated risk owners within the Information Security Management System (ISMS) and be subject to effectiveness reviews. Regular staff training on data protection is also required, along with sensible organisational measures to support the implementation of these procedures. Data minimisation is a rare case in which compliance with a legal obligation simultaneously reduces the actual scope of risk. For management, which today bears personal responsibility for cybersecurity, this is an argument for treating minimisation as a key item in the risk register (especially as it concerns many information assets), rather than merely in the register of processing activities.