Why is this topic relevant for my organisation?

Human behaviour is the most common cause of security incidents. Knowledge and awareness of this topic directly and demonstrably reduce risk.

How does 2LRN4 help with this?

2LRN4 links this topic to a risk-based training module, optional phishing simulation and reporting, so you can demonstrate compliance to supervisors and the board.

Is awareness training enough or is more needed?

Training is a necessary building block, but not a complete shield. Combine it with technical measures (MFA, email filtering), procedures and a reporting culture for the best protection.

Data minimisation in practice: collect only what you need

One of the most powerful privacy principles is also one of the simplest: collect only what you genuinely need. Data minimisation is in the GDPR and it makes sense: data you do not have cannot leak, cannot be misused and does not need protecting. Yet many organisations collect too much out of habit.

What does data minimisation mean?

The GDPR requires that personal data be "adequate, relevant and limited to what is necessary" for the purpose. In plain terms: do not collect more than needed, and not "just in case".

The principle applies across the life of data: when collecting, but also when retaining. What you no longer need, you delete. Less data means less risk and less work to protect.

Why less is safer

Every extra data point is an extra risk. A form asking for ten fields when three are needed increases the impact of a breach with no added value.

Data you do not collect, you need not secure, store or account for during an audit. Minimisation thus lowers your risk, cost and complexity at the same time.

Practical examples

Data minimisation becomes concrete in everyday choices:

Forms: ask only for fields you actually use. Do you need a date of birth, or does "18 or over" suffice?
Email: don't attach the whole list when the recipient needs only one row.
Copies: don't make stray copies of files "for convenience" that then linger around.
Retention periods: clear out old data once the purpose is met.

Data minimisation and AI

With AI tools, minimisation matters even more. Pasting a full document into a free AI prompt to "quickly summarise something" often shares far more data than needed, with a party your organisation has no agreement with.

Ask which data the tool genuinely needs, and remove or anonymise the rest. For work, use only approved services.

How to embed this in your awareness programme

Minimisation is mainly a thinking habit; train the rule of thumb, not the legal text.

Teach one question and repeat it everywhere: 'do I genuinely need this for this purpose?'.
Focus on roles that use forms, surveys and AI tools.
Make it concrete with a before-and-after example of a form that asked for too much.
Offer depth via our course catalogue.

FAQ

What is data minimisation?

A GDPR principle stating that you only collect personal data that is adequate, relevant and limited to what is necessary for your purpose. In short: collect no more than needed and keep no longer than needed.

Why is collecting less data safer?

Data you do not have cannot leak or be misused and does not need protecting. Minimisation lowers your risk, cost and the complexity of security at the same time.

How do I apply data minimisation to forms?

Ask only for fields you actually use for the purpose. If in doubt about a field, leave it out. Often a confirmation like "18 or over" suffices instead of a full date of birth.

Does data minimisation apply to AI tools too?

Yes, especially there. Don't paste more into an AI tool than needed, as this often shares far more data than the purpose requires. Remove or anonymise unnecessary data and use only approved services for work.

What is the simplest rule of thumb?

For each data point, ask: do I genuinely need this for this purpose? If not, don't collect it. If yes, don't keep it longer than needed. That one question prevents many unnecessary risks.