According to the “Rethink Data” report by Seagate Technology, around 68% of the data owned by companies is never actually used again.
This condition is evident in many day-to-day business operations. Customer forms ask for information that is actually irrelevant to the service, old employee data remains stored for years, and digital archives keep piling up because there is no clear data retention policy.
As a result, organizations have to manage ever-growing volumes of data without comparable operational benefits.
The more data that is stored, the more complex data governance becomes. Access control becomes harder to manage, audit processes grow more complicated, and the risk of personal data protection violations increases as well.
Amid growing attention to data privacy and compliance with the Personal Data Protection Act (PDP Law in Indonesia), data minimization is an important principle to ensure that organizations only manage data that is truly relevant and necessary.
What Is Data Minimization?
Data minimization is a data management principle which emphasizes that organizations should only collect, use, and store data that is truly necessary for a specific purpose. Nothing more.
There are three core elements behind this principle: the data collected must be relevant to the purpose of processing, the amount of data must not be excessive, and the data should only be retained for as long as necessary.
For example, account registration forms often ask for date of birth, full address, occupation, or marital status even though that information is not used in the service process. Under data minimization practices, organizations need to evaluate whether all of that data is truly necessary.
The same issue frequently occurs in HR processes. Many companies still keep documents from unsuccessful job candidates for years without a clear retention policy, even though the data may no longer have operational or legal value.
Data minimization is also closely related to risk reduction. The less sensitive data that is stored, the smaller the potential impact if a security incident or data breach occurs.
In many cases, leaked data actually comes from old archives, inactive databases, or information that is no longer used in day-to-day business operations.
Legal Basis & Data Minimization Regulations in Indonesia
The principle of data minimization is directly connected to Indonesia’s Personal Data Protection Law (PDP Law), enacted in 2022 under Law Number 27 of 2022.
The law states that personal data processing must be carried out in a limited, specific, lawful, and transparent manner according to the purpose of collection. This means organizations cannot freely collect data without a justifiable business need.
Two key principles that are highly relevant here are purpose limitation and data minimization. Both serve as foundational principles of the PDP Law and apply to the entire lifecycle of personal data collection, storage, and processing.
The business implications are clear. Collecting data that is not relevant to the services being provided may be considered a violation of lawful processing principles. Retaining data longer than necessary without a valid legal basis may also violate retention requirements regulated under the PDP Law.
It is important to note that the PDP Law applies to all personal data controllers and processors operating in Indonesia, regardless of business size. This means startups with hundreds of users and corporations with millions of customer records are subject to the same obligations.
Learn about the PDP Law
The Personal Data Protection Law (UU PDP) regulates how personal data must be managed and protected, while also defining the rights of data subjects and the responsibilities of parties that process such data.
UU PDP
Deepen your understanding and explore the provisions in detail by downloading this PDF. Your data is safe with us!
Why Is Data Minimization Important?
Data minimization is important because it helps organizations reduce the risk of data breaches, simplify data governance, and lower the overall burden of information management.
Many companies store massive amounts of data under the assumption that all information might someday become useful. In reality, however, much of that data is never used again.
Old databases, unstructured archive files, and inactive customer records often continue to accumulate without regular evaluation. This creates several risks at once:
- First, the larger the volume of stored data, the greater the potential impact if a data breach occurs. Security incidents are influenced not only by the quality of security systems, but also by the amount and sensitivity of the exposed data.
- Second, excessive data complicates data governance. IT, compliance, and security teams face greater difficulty mapping data flows, controlling access, and consistently implementing retention policies.
- Third, uncontrolled data storage increases operational costs. Many organizations continue paying for storage capacity used by data that no longer holds business value or regulatory relevance.
Data minimization also helps limit excessive internal access. In many cases, customer data or internal business information can be accessed by too many parties because there is no clear classification or access restriction policy.
The wider the access to sensitive data, the greater the risk of human error, misuse, or insider threats.
In addition, leaner data management makes audits and compliance processes much easier. Organizations can identify sensitive data more quickly, understand data processing flows more clearly, and ensure protection controls are applied consistently.
Principles of Data Minimization
The implementation of data minimization is built upon five interconnected operational principles. Each principle addresses a specific question within the data lifecycle.
1. Collect Only Necessary Data
The main principle of data minimization is to collect only the data genuinely required for a specific business purpose.
If a service only needs an email address and phone number for communication purposes, then requesting additional information such as a full address or other identity details should be reevaluated.
Excessive data collection increases compliance risks and amplifies the impact if a data breach occurs.
2. Limit the Purpose of Data Usage
Data collected for one purpose should not be used for another purpose without obtaining new consent from the data owner.
For example, a phone number provided for order confirmation purposes cannot automatically be used for marketing campaigns without explicit permission.
Violations of this principle often occur when marketing teams access operational databases for promotional activities without a clear consent mechanism.
3. Limit Data Retention
Data should only be stored for as long as necessary to fulfill its processing purpose. After that, the data should be deleted or anonymized.
In many organizations, old data continues to accumulate because there is no retention policy defining when the data should be destroyed.
The longer data is retained, the greater the security exposure and management burden. Retention limitations help organizations determine when data should be deleted, archived, or anonymized.
4. Restrict Data Access
Not everyone within an organization needs access to all data.
In many business operations, customer databases or internal documents are often shared too broadly for the sake of convenience. Uncontrolled access, however, increases the risk of data misuse and human error.
In this context, businesses can apply the principle of least privilege, which ensures individuals only receive access to the data required for their job responsibilities.
For example, customer service staff handling delivery complaints should not need full access to customer financial information.
5. Conduct Regular Reviews of Stored Data
Data that is relevant today may no longer be relevant several years later.
For that reason, organizations should conduct periodic reviews of the data they store. This process helps identify unused data, duplicate records, and information that should already have been deleted.
Without regular evaluation, data volumes will continue growing and data governance will become increasingly difficult to control.
Practical Ways to Implement Data Minimization
Implementing data minimization in an active business environment requires systematic action, not just policy recommendations. Below are practical steps that compliance, IT, and legal teams can execute.
1. Audit the Data Being Collected
Start by mapping all data collection points: registration forms, checkout pages, customer surveys, CRM systems, and API integrations with third-party vendors.
For every data attribute collected, label it as either “mandatory” or “optional.”
Then, document the business justification for each mandatory attribute. If the justification cannot be clearly explained in one sentence, the attribute becomes a candidate for removal.
2. Review Forms and Business Processes
Digital forms often become accumulators of excessive data over time. Whenever teams add new questions for temporary needs, those fields are rarely removed afterward.
Review every form with the following question: “What decision or action will be taken based on this data?”
If the data is collected merely “in case it becomes useful later,” the process violates the principle of data minimization.
This evaluation helps ensure that every requested data point has a clear operational purpose.
3. Delete Data That Is No Longer Needed
This step is particularly sensitive because it affects production databases. A careful separation between active and inactive data is necessary.
Create categories based on data age: data with interactions within the last 12 months, data without interactions for 12–36 months, and data inactive for more than 36 months.
For the oldest category with no legal retention obligations, schedule permanent deletion. For mid-range data, evaluate whether the remaining business value outweighs the risks of continued storage.
This evaluation process requires coordination between IT, legal, and business process owners to ensure deletion is carried out properly and documented accordingly.
4. Implement a Written Data Retention Policy
A retention policy helps organizations determine how long data should be kept and when it should be deleted.
A good retention policy should not only specify timeframes, but also define automatic or semi-automatic deletion mechanisms once the retention period expires.
For example, a policy stating that “system access logs are retained for 90 days” should be supported by cron jobs or scripts that automatically delete logs older than 90 days.
5. Restrict Access Based on Job Requirements
Review user access rights to databases and systems storing personal data.
In many organizations, read access to customer databases was granted for specific projects but never revoked after the projects ended.
Apply the principle of least privilege to every role. For individuals who do not require access to raw data, provide aggregated or anonymized alternatives instead.
6. Document Every Data Minimization Action
Compliance with the PDP Law requires evidence. Maintain audit records containing details such as what data was deleted, when it was deleted, under which policy, and who authorized the action.
This documentation becomes a critical defense tool in the event of disputes or regulatory inspections.
Access restrictions should also be reviewed regularly, especially after role changes or employee departures. Unused but still-active accounts are security gaps that organizations often overlook.
Challenges in Implementing Data Minimization
In practice, many organizations encounter resistance and non-technical barriers when implementing data minimization. Recognizing these challenges early helps create more realistic strategies.
The “Store Everything” Culture
A common mindset among many data and product teams is: “Storage is cheap, so why not keep everything?”
This assumption ignores the fact that the real costs extend far beyond storage media. Organizations also bear security costs, compliance costs, and recovery costs if incidents occur.
Changing this mindset requires awareness that every piece of data represents a liability, not just an asset.
Unclear Data Ownership
In medium-sized and large organizations, it is often unclear who actually owns a particular dataset.
Customer databases may belong to the marketing team but are also accessed by sales, support, billing, and analytics teams.
When no single party is fully responsible for the data lifecycle, retention and minimization policies are rarely executed because everyone assumes it is “someone else’s responsibility.”
Legacy Systems That Are Difficult to Clean Up
Legacy applications that have been running for a decade or more often contain chaotic database schemas.
There may be no clear documentation explaining the purpose of each field. Current teams become afraid to delete data because they do not know whether certain columns are still being used by hidden processes or outdated reports.
In situations like this, data minimization requires reverse engineering efforts and extensive testing.
Data Scattered Across Multiple Platforms
Modern businesses use a wide range of SaaS tools: CRM platforms, marketing automation software, support ticketing systems, internal databases, and spreadsheets stored on employee devices.
Data minimization efforts must cover all of these silos.
A common situation is when data in the main database has already been cleaned up, but the same information still exists in exported CSV files on employee hard drives or forgotten sandbox environments.
Fear of Losing Business Insights
Analytics teams often resist data deletion because they believe “historical data is important for long-term trend analysis.”
This concern can be addressed through anonymization or aggregation rather than retaining raw personal data.
For example, instead of storing detailed transaction records belonging to inactive customers, organizations can keep monthly aggregated summaries without personal identifiers.
This allows businesses to preserve analytical insights without maintaining the risks associated with raw personal data.
Ready to Manage Privacy Compliance as a Business Risk?
See how GRC helps map personal data risks, monitor compliance with the PDP Law, and prepare companies for audits without complicated manual processes.
Conclusion
Data minimization is not merely a technical issue relevant only to IT teams. It is a governance principle that directly affects business risk, regulatory compliance, and customer trust.
Businesses that continue collecting and storing data without clear controls face disproportionate exposure: more data that can potentially leak, more difficulty during compliance audits, and heavier operational burdens over time.
Indonesia’s Personal Data Protection Law (PDP Law) has already established a clear legal framework, and excessive data collection is no longer merely a bad practice, it is now a potential compliance violation.
The first step does not need to be massive. A simple audit of collected data, combined with a written retention policy, already provides a far stronger foundation than taking no action at all.
