As global data protection regulations continue to evolve, data minimization has emerged as a cornerstone principle in ensuring privacy compliance and reducing organizational risk. Therefore, privacy professionals must learn how to assess data necessity, engage stakeholders in minimizing data exposure, and maintain compliance with data privacy laws and emerging global standards. Join us for an insightful webinar designed to equip privacy, IT, security, and compliance professionals with practical strategies for implementing Privacy by Design and effective data minimization principles. This session will explore how to embed privacy proactively into systems and processes, reduce unnecessary data collection, and align data practices with regulatory expectations. We’re excited to feature ManpowerGroup who will share their organization’s real-world journey toward implementing effective data minimization strategies, highlighting key lessons learned and measurable impacts. This webinar will review: - Clear definitions and legal foundations of data minimization under GDPR, CPRA, and other key regulations - Practical techniques for identifying and reducing unnecessary data collection and storage - Tools and frameworks for integrating data minimization into privacy impact assessments (PIAs) and data inventories - Guidance on setting retention limits and automating data disposal processes - Data storage practices you need to know about

1. © 2025 TrustArc Inc. Proprietary and Confidential Information.
Data Minimization in Practice:
Reducing Risk, Enhancing Compliance

2. 2
Legal Disclaimer
The information provided during this webinar does
not, and is not intended to, constitute legal advice.
Instead, all information, content, and materials presented during
this webinar are for general informational purposes only.

3. 3
Speakers
Martin Macke
Global Privacy Director
ManpowerGroup
Janalyn Schreiber
Senior Privacy Consultant
TrustArc

4. Agenda
1. Why Data Minimization Matters
2. Legal Foundations of Data Minimization
3. CPRA & Data Minimization
4. GDPR & Data Minimization
5. Technological Challenges
6. Practical Implementation
7. AIʼs Impact on Data Minimization
8. What is “Data Retention”?
9. Why Retention & Disposal Matters
a. Regulatory Drivers
b. Risk Management Drivers
c. Retention Requirements
d. Practical Implementation
10. Q&A

5. 5
Why Data Minimization Matters
● Evolving regulations require stronger
privacy practices.
● Data breaches and over-collection create
risk exposure.
● Trust and reputation depend on data
minimization.

6. 6
Legal Foundations of Data Minimization
1. GDPR: Data must be adequate, relevant,
and limited
2. CPRA: Collection limited to reasonably
necessary purposes
3. Other frameworks: OECD Guidelines, ISO
standards
4. Principles: Purpose limitation, storage
limitation, Privacy by Design

7. 7
CPRA & Data Minimization
PRA requires businesses to collect, use, retain, and share personal
information only to the extent that is “reasonably necessary and
proportionate” to achieve the disclosed purpose.
• Applies to all personal information processing, not just sensitive data.
Key Compliance Obligations
• Purpose Limitation: PI canʼt be used for unrelated, undisclosed purposes.
• Necessity & Proportionality: Limit processing to what is strictly needed.
• Retention Disclosure: Businesses must inform consumers of retention
periods (or criteria for determining them).
Risks of Non-Compliance
• Broader AG and CPPA enforcement powers under CPRA.
• Violations can be pursued even without a data breach.

8. 8
GDPR & Data Minimization
Legal Basis (Article 5(1)(c) GDPR) - Personal data must be:
• Adequate – sufficient to achieve the stated purpose
• Relevant – logically connected to the purpose
• Limited – restricted to what is necessary for that purpose
Enforcement Examples - Regulators have fined organizations for:
• Collecting excessive HR or customer data not justified by purpose
• Retaining data far beyond disclosed timelines
• Emphasis on proportionality and demonstrable necessity.
Practical Implications:
• Each data element must pass a “necessity test.”
• Requires ongoing review of forms, systems, and retention schedules.
• Strong link to Privacy by Design obligations (Art. 25 GDPR).

9. 9
Data Minimization – Technological Challenges
● Disposition Techniques:
Only 30% of organizations in Deloitte 2020 survey
were adopting automated erasure techniques for
data on completion of the retention period.
● Auditing Controls & Capabilities:
Only 32% are prepared for and may have
conducted audits of processing activities with
respect to end-of-life of personal data.
● Security Risks:
The impact of a breach could be significantly
worse if data has been held onto longer than
necessary.

10. 10
Data Minimization – Practical Implementation
● Map Processing Purposes/RoPAs: Document
why each category of PI is collected and confirm
necessity.
● Data Tagging/Lineage: Understand provenance
and data lifecycle (is this a derivative data set that
you should keep or destroy?).
● “Reasonable” Retention”: How does the
organization (and your customers) define “as long
as necessary”.
● Externally Available Schedules: Retention
schedules & advice providing min/max time for
certain categories of data in different jurisdictions.

11. 11
Data Minimization – Practical Implementation
● Align Privacy Notices: Ensure notices clearly state
categories, purposes, and retention.
● Vendor Contracts (DPAs): Require service providers/
contractors to apply same minimization standards.
● PIAs: Incorporate minimization tests when
evaluating new processing.
● Audit & Monitor: Review collection points (forms,
apps, systems) for excess fields and data creep.

12. 12
AI’s Impact on Data Minimization
The Tension - AI thrives on “more”
Practical Impacts
• Purpose Creep Risk: AI re-uses data beyond
original purposes, challenging minimization
boundaries.
• Retention Stretching: Models often require
historical data for training and validation, creating
pressure to keep data longer.
• Opaque Justification: Harder to explain why
certain data elements are “necessary” in AI
contexts.

13. 13
AI’s Impact on Data Minimization
Evolving Solutions
• Privacy-enhancing tech: Synthetic data, federated
learning, and anonymization support minimization.
• Dynamic retention rules: Segment datasets for
model lifecycle needs vs. operational/legal needs.
• Governance updates: Clear guardrails for AI use
cases, ensuring data retention aligns with stated
business and regulatory purposes.

14. 14
What is “Data Retention”?
The storing of information for a specified period of time.
Records Management Program:
• What data should be stored?
• Where should this storage happen?
• How long should this data be stored?
• Certification or auditing standards?
• Disposition, archival, backup policies?

15. 15
Why Retention & Disposal Matters – Regulatory Drivers
• GDPR (Art. 5(1)(e)) – Data must be kept no longer than
necessary for the purposes collected.
– Danish DPA fines IDDesign A/S for 1.5 million DDK
– CNIL fines INFOGREFFE for €250,000
– Berlin DPA fines Deutsche Wohnen €250,000
• CPRA/CCPA – Businesses must disclose retention
periods and only retain data as long as reasonably
necessary and proportionate.
• Other laws (HIPAA, GLBA, SOX, employment, sectoral
regs) impose specific retention/disposal mandates.

16. 16
Why Retention & Disposal Matters – Risk Management Drivers
• GDPR (Art. 5(1)(e)) – Data must be kept no longer
than necessary for the purposes collected.
• Security – Unnecessary data increases breach impact
and incident response costs.
• Legal Discovery – Data hoarding drives e-discovery
costs and liability exposure.
• Reputation & Trust – Customers expect responsible
stewardship of their data.
• Operational Efficiency – Storage costs, system bloat,
and data quality issues.

17. 17
Retention Requirements
• Define stakeholders, administrators & oversight
• Consider data types (based upon data inventory &
classification)
• Active input & regular feedback on legal, business &
regulatory requirements
• Clarify key terms (official vs. unofficial record, backup
vs. archive)
• Have a plan for “legal hold” & disposition method(s)
• Annual review (of policy & actual data assets)

18. 18
Retention & Disposal – Practical Implementation
Retention Policies
• Define clear, defensible schedules by data category
• Document legal/regulatory basis for retention periods
• Publish retention timelines in privacy notices
(GDPR/CPRA)
Automation & Technology
• Embed rules into enterprise tools (e.g., M365, Google
Workspace, Salesforce)
• Use automated workflows for archiving and deletion
• Apply pseudonymization/anonymization when full
deletion isnʼt feasible

19. 19
Retention & Disposal – Practical Implementation
Risk Reduction
• Regularly review and purge “dark data” and duplicates
• Minimize breach impact by reducing unnecessary stored data
Governance & Accountability
• Assign ownership (privacy + IT + records management)
• Track deletion actions and maintain audit trails
• Train employees on following retention/disposal standards

20. 20
Retention & Disposal – Practical Implementation
Retention Policies
• Define clear, defensible schedules by data category
• Document legal/regulatory basis for retention periods
• Publish retention timelines in privacy notices
(GDPR/CPRA)
Automation & Technology
• Embed rules into enterprise tools (e.g., M365, Google
Workspace, Salesforce)
• Use automated workflows for archiving and deletion
• Apply pseudonymization/anonymization when full
deletion isnʼt feasible

21. 21
Thank You!