Data Minimization
Data minimization is a core GDPR principle requiring organisations to collect and process only the personal data strictly necessary for the stated purpose. This principle compels organisations to justify every data point collected and avoid any excessive accumulation of information.
Enshrined in Article 5(1)(c) of the GDPR, data minimization requires that personal data be 'adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.' This principle applies from system design (privacy by design) throughout the entire data lifecycle.
In the KYC domain, data minimization presents a particular challenge. Regulatory obligations mandate the collection of extensive information (identity documents, proof of address, source of funds), but the principle prohibits going beyond what is strictly required. For instance, identity verification for a basic bank account does not justify collecting a payslip if regulations do not require it.
Modern document verification solutions embed this principle by offering 'selective verification' approaches: extracting only the necessary fields from a document, automatically redacting irrelevant information, and deleting document copies once verification is complete. This approach reduces exposure in the event of a data breach and simplifies GDPR compliance.
Regulations
Real-world examples
- 1.A property rental platform requests a passport copy, three months of bank statements, and a tax return: the data protection authority deems the bank statement collection disproportionate for a simple tenant identity verification.
- 2.An identity verification provider configures its system to extract only the name, date of birth, and photo from an identity document, without storing the social security number visible on certain documents.
- 3.An accounting firm automatically deletes copies of identity documents 30 days after client validation, retaining only a verification hash and the verification date.