Resources Blogs Compliance, Collaboration, and Cybersecurity: Why Data Minimisation Is the Answer to the Big Problems

Compliance, Collaboration, and Cybersecurity: Why Data Minimisation Is the Answer to the Big Problems

author
calendar10/24/2025
clock 6 min read
feature image

book open Table of Contents

Organisations are awash with data, leading to the phrase, “Data is the new oil,” becoming a cliché. Yet, the reality is more nuanced and, at times, more perilous than this optimistic analogy suggests.  

While data undoubtedly holds immense value, the unchecked accumulation of information brings with it a host of challenges that include spiralling costs, compliance headaches, collaboration bottlenecks, and an ever-expanding cyberattack surface.  

At CyberCon in Melbourne, I explored how data minimisation – that being the principle of collecting, processing, and storing only what is truly necessary – can help organisations address these pressing issues and unlock a safer, more collaborative, and compliant digital future. 

The Data Dilemma: Growth, Duplication, and Risk

According to our 2025 State of AI report, the scale of the data dilemma is staggering:  

  • 79.2% of organisations now manage at least 1 PB of data, and 51.6% manage more than 500 PB, up 25% from last year.
  • 66.2% of organisations with up to 1 PB of data experienced data security incidents.
  • 90.6% have an information management strategy, but only 30.3% rate their data classification as highly effective.
  • For 70.7% of organisations, at least half of their data is more than five years old.
  • 84.6% use multiple data storage platforms. 

The more data we collect, the more value we think we have, but this mindset creates a complex and costly environment, with mounting compliance burdens, hindered collaboration, and a vastly expanded cyberattack surface.

Data minimisation is the principle of collecting, processing, and storing only the necessary amount of personal information required for a specific purpose.  

By reducing data volumes and focusing on relevance, organisations can simplify compliance, enhance collaboration, and strengthen cybersecurity — all while improving operational efficiency and trust.

Compliance 

In Australia, the regulatory landscape is evolving rapidly. The Privacy Act, Australian Privacy Principles (APPs), Consumer Data Right, APRA Prudential Standards, and various records acts all place strict requirements on how organisations handle personal information.  

The most direct principle is APP 3, which states that organisations must only collect personal information if it is “reasonably necessary” for their functions or activities. This forces us to ask critical questions before collecting any data: Do we really need this information? What purpose does it serve? Can we achieve our goals without it?

Other relevant principles include: 

  • APP 10, which requires organisations to ensure the quality, accuracy, and completeness of the data they collect
  • APP 11, which mandates reasonable steps to protect personal information from misuse, loss, or unauthorised access
  • APPs 12 and 13, which give individuals the right to access and correct their data

Data minimisation makes compliance easier by reducing the amount of data to manage, improving quality, and streamlining access and correction processes. By maintaining a smaller, more focused set of data, organisations can more easily ensure its quality, protect it from threats, and respond efficiently to data subject requests. Strong data governance ensures these minimisation principles are consistently applied across the organisation. 

Collaboration  

The shift to hybrid working styles and the need for seamless collaboration across locations, devices, and platforms are now the norm. But with increased connectivity comes increased responsibility to maintain robust data governance practices.  

Data minimisation supports collaboration by improving data quality and accuracy, enabling teams to work with reliable information, not redundant, obsolete, or trivial (ROT) data. It enhances efficiency, as smaller datasets mean faster searches and better system performance. Security in shared projects is also improved: only the necessary data is shared, reducing risk if an account is compromised. Compliance with regulations also becomes easier when less personal data is shared across jurisdictions.

Cybersecurity

From ransomware and phishing to AI-orchestrated attacks, organisations face a barrage of risks that are continually evolving.  

Data minimisation helps reduce the amount of data held and shrink organisations’ attack surface, making it more difficult for hackers to find valuable information to exploit and reducing the risk of data leakage. If a breach occurs, the volume and sensitivity of compromised data are reduced, lessening financial and reputational damage.

Security teams can focus their resources on protecting a smaller, well-defined dataset, making it easier to implement robust security measures like encryption and access controls, and to monitor for suspicious activity. This shifts the focus from reactive clean-up to proactive risk mitigation, enabling organisations to invest in initiatives that drive growth rather than simply plugging security gaps.

Data Minimisation in Practice  

In Australia, data minimisation is a central pillar of the Privacy Act 1988 and the Consumer Data Right regime. Accredited entities can only collect data “reasonably needed to provide the good or service” that the consumer has consented to. This gives consumers greater control over their data and ensures that organisations are not holding information without a clear, legitimate purpose.

Implementing data minimisation requires a strategic approach:  

  • Define your purpose. It starts with knowing your data governance strategy and aligning it with your organisation’s mission and strategic priorities. For every piece of personal information, ask: Why are we collecting this? What is its specific, legitimate purpose? If you don’t have a clear answer, reconsider collecting it.  
  • Conduct an assessment. Determine inactive and relevant data, identify exposed and sensitive workspaces, assets, and information, and pinpoint user and sensitive exposure hotspots and risks. You can’t minimise what you don’t know you have.
  • Remediate risks. Remove user security risks, establish role-based access controls (RBAC) to prevent data leakage, protect sensitive items with accuracy by archiving redundant and inactive information to lower-cost cloud storage, and destroying data that no longer serves a purpose.  
  • Optimise operations. Automate the management of inactive and ROT data to proactively and automatically dispose of eligible data, reducing the risk profile of high-risk items through automated governance policies.  
  • Use analytics and reporting. To empower data-driven decisions, track governance effectiveness with KPIs, and adjust strategies as needed. Engage strategic and technical specialists to align technology with business objectives, maximising ROI and operational efficiency.  

Achieving Digital Clarity Through Data Minimisation

The journey towards effective data minimisation is not without its challenges. It requires a cultural shift within organisations, moving away from the “more is better” mindset and embracing a philosophy of purposeful data collection and retention. This shift must be supported by clear policies, robust governance frameworks, and ongoing education for staff at all levels. Technology can be a powerful enabler, providing the tools needed to assess, manage, and protect data throughout its lifecycle. However, technology alone is not enough. Success depends on leadership commitment, cross-functional collaboration, and a willingness to challenge established practices.

Ultimately, data minimisation is about creating value through restraint. It is a strategic imperative for organisations seeking to thrive in a digital world. By collecting and retaining only what is necessary, organisations can reduce risk, lower costs, foster collaboration, and build trust with customers and stakeholders. The benefits extend beyond compliance and security, touching every aspect of organisational performance.

As we move forward, it is essential to challenge the “more is better” mindset and embrace a future where less data means more value, security, and agility.

Data minimisation isn’t just a compliance checkbox — it’s a strategic imperative. 

author

Janine Morris

Janine Morris is an experienced information management professional who helps organizations reduce information chaos and improve employee experience while meeting regulatory and compliance requirements, especially those related to AI and data security. She holds a Master's degree in Information Management and her professional approach and passion have earned her solid recognition in the industry, including being recognized as a Membership Fellow (FRIM) and serving as a former board director and branch president of RIMPA Global.

data securityData Governancecompliancecybersecurity