O3.14 Integrate strict data minimization protocols into design

Principle

O3: Ensure data privacy by design

Risk

Lifecycle Stage

Practices

Design forms and digital interfaces that collect only essential information (e.g. GDPR - General Data Protection Regulation).

Implement methods where direct identifiers are removed or replaced with pseudonyms.

Pseudonymized data might still be re-identifiable and should not be treated as anonomized without further scrutiny. It still requires access management, controlled processing enviroments, transaction protocols and a liability regime for misuse.

Periodically review data collection practices and storage to identify and eliminate unnecessary data, similar to practices in the California Consumer Privacy Act (CCPA)."

Resources