Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Data Minimization; Why Bigger is Not Always Better

Data Minimization; Why Bigger is Not Always Better

"Rather than focusing on opt-in v. opt-out, ..we should be discussing data minimization" - Federal Trade Commissioner
“Rather than focusing on opt-in v. opt-out … we should be discussing data minimization” – Federal Trade Commissioner

An interesting position was previously divulged by the Federal Trade Commissioner of the United States when it comes to data collection. Rebbecca Slaughter proposed to ditch the outdated notice-and consent model to govern questions surrounding personal data. For her, the focus should be on indiscriminate collection of data to fuel business models such as behavioral advertising.

At the forefront of her contention is the need for companies to collect as little personal information as possible.

“Rather than focusing on opt-in versus opt-out, and whether privacy policies are clear enough, I believe we should be discussing the concept of data minimization,” Slaughter said.

What is data minimization

Data minimization refers to the practice of limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specified purpose.

When an organization adapts such practice, any data processing will only use the least amount of data necessary. Likewise, the volume of collected information from private individuals are outrightly reduced. Further, the duration of the record retention is essentially shortened for reasons that will be discussed later.

Also Read: Got A Notice of Data Breach? Don’t Panic!

Legal basis of the principle

Data minimization was ushered years ago at the inception of the Data Protection Act wherein businesses holding data about any European Union citizen are mandated to practice funneled data collection.

Under the General Data Protection Regulation (GDPR), the concept of data minimization revolves around data that is:

  • Adequate
  • Relevant
  • Limited to what is necessary for the purposes for which they are processed

This principle is specifically provided for under Article 5 (c) of the GDPR Principles Relating to Processing of Personal Data. And while there may be key differences between GDPR and the Personal Data Protection Act (PDPA) of Singapore, data minimization is likewise embodied under its 10 main personal data obligations; specifically the consent, purpose limitation, and retention obligations.

Most often, a smaller volume of data is easier to handle and afford security

The benefits of data minimization

At the core of the principle is how companies should only collect and store the data they need- and delete everything else. A hindrance on the concept is the mindset of some organizations that they need store collected data indefinitely “just in case” they need it in the future.

It must be remembered that the value of data decreases quickly as the trend in the industry is dynamic. Also, data storage would entail cost and so companies cannot afford to go on collecting and storing information indefinitely. This outdated practice can lead to large stockpiles of data that can be extremely difficult to organize, manage, and protect.

Which brings us to the important role data minimization plays in cybersecurity. Too much data can bring bigger risks. This is especially true in personally identifiable data. And as you may have already known from reported incidents of data breach and data loss, a major leak of sensitive personal information can warrant hefty penalties. Not only that, your organization’s reputation with regard to effective data security may also be tarnished.

How to practice data minimization

Practicing the principle involves adherence to whatever data protection policy your company has adapted in consonance with GDPR, PDPA, or any other data privacy legislation. In sum, below are guide questions you should ask yourself for each point of data you are planning to collect:

  1. Does the individual know I am collecting the data?
  2. How am I planning to use this data?
  3. Does the individual know why I am collecting the data?
  4. Is there a way of achieving this purpose without having to collect the data?
  5. How long will I need the data for to achieve the purpose?

These guide questions shall determine whether or not you need at any one stage a particular set of collected data; thus if there is a need to store it or can it already be removed from your records.

On the aforementioned Federal Trade’s PrivacyCon, privacy advocates reiterated their long argued contention that companies should only collect the amount of data necessary for a specific purpose, and then only use such for that purpose.

As previously held, data minimization proves to us that bigger is not always better. Most often, a smaller volume of data is easier to handle and afford security.

Hiring a DPO can help.

Aside from the fact that it is mandatory under the PDPA, an outsourced Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). It can ensure that in the whole process of data minimization, no obligations under the said law is being breached.

Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

Also Read: Compliance With Singapore Privacy Obligations; Made Easier!



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us