Skip to main content

The carbon cost of data: why data minimisation matters now

·7 mins
Data Minimisation ESG Sustainability Privacy by Design GDPR

Embracing data minimisation is not simply about ticking a compliance box, it represents a fundamental shift in mindset towards a responsible and sustainable approach to data, ensuring that we not only protect individual rights and freedoms but also safeguard the future of our planet.

The power and relevance of data minimisation in ESG programmes

With digital transformation pretty much BaU these days, the convergence of emerging technologies and environmental accountability demands a re-evaluation of traditional business practices for many companies. Environmental, Social, and Governance (ESG) considerations are no longer confined to the realms of resource management and ethical labour practices. They must now take in the very foundation of our digital infrastructure. At the heart of this lies data minimisation, a principle enshrined in most data protection laws and regulations around the world. This principle mandates the collection, processing, and storage of only the data that is strictly necessary for specified, legitimate purposes. To disregard or trivialise data minimisation is not merely a legal oversight, it constitutes a reckless disregard for the environmental well-being of our planet and a betrayal of commitments to a sustainable future made by institutions and bodies like the UN and EU.

The environmental footprint of the data behemoth

The relentless pursuit of data, often driven by the demands of enhanced insights and competitive advantage, has created a digital behemoth with a huge appetite for resources and a massive environmental footprint. The “data hoarding” mentality, where companies indiscriminately collect and retain vast quantities of personal data, has created a hidden environmental crisis that demands urgent attention.

Think about the energy consumption of data centres. These ever-increasing-in-size facilities require tremendous amounts of electricity to power servers, storage devices, and cooling systems. As the volume of data continues to explode, the energy demands of data centres are escalating at an alarming rate, contributing significantly to greenhouse gas emissions and exacerbating the climate crisis. The European Green Deal’s ambitious climate neutrality goals cannot be realised without addressing the unsustainable energy consumption of our digital infrastructure.

The environmental cost extends beyond energy consumption. The production of servers, storage devices, and networking equipment necessitates the extraction of increasingly scarce rare earth minerals and other valuable resources. Shorter hardware lifecycles, driven by the continual demand for greater storage capacities and faster processing speeds, intensify the pressure on these resources and contribute to environmental degradation. The environmental burden of manufacturing IT equipment is often overlooked, but it represents a significant challenge to achieving a circular economy and reducing our reliance on finite resources.

Furthermore, the rapid pace of technological innovation leads to a growing volume of obsolete servers, storage devices, and other IT equipment, contributing to the global e-waste crisis. Improperly managed e-waste poses a significant threat to human health and the environment, contaminating soil, water, and air with hazardous substances. The long-term consequences of digital waste are only beginning to be understood, but it is clear that we must adopt more sustainable practices for managing electronic waste and reducing its environmental impact.

Data minimisation: data protection practices meets environmental responsibility

Data minimisation, as articulated in Article 5(1)(c) of the GDPR, offers a framework for mitigating the environmental impact of the data-driven economy and aligning our processing practices with the principles of sustainability. By embracing data minimisation, companies can unlock a range of environmental benefits and contribute to a more sustainable future.

Firstly, data minimisation can reduce the energy consumption of data centres. Storing only essential personal data minimises the overall energy demand of these facilities, directly lowering carbon emissions. By optimising data storage and processing practices, companies can reduce their carbon footprint and contribute to a cleaner, more sustainable energy future.

Secondly, data minimisation can extend the lifespan of IT infrastructure. By reducing the need for constant hardware upgrades and expansions, organisations can prolong the useful life of their existing IT equipment, reducing the demand for new resources and mitigating the environmental impact of manufacturing. Extending hardware lifecycles not only reduces resource consumption but also minimises the generation of e-waste.

Thirdly, data minimisation can help to mitigate the e-waste crisis. Implementing data retention and deletion policies in a proper, thought out manner, as required by most data protection laws, helps to minimise the volume of obsolete hardware that ends up as e-waste. And at the same time, by ensuring that personal data is securely deleted when it is no longer needed, companies can reduce risks to the rights and freedoms of individuals

Also, embracing data minimisation enhances data security and resilience. A smaller data footprint reduces the attack surface for cybercriminals, making companies less vulnerable to data breaches. By minimising the amount of personal data stored, companies can reduce the potential impact of a data breach on both individuals and the environment.

Your call to action

To fully realise the environmental benefits of data minimisation, companies must embrace a comprehensive and strategic approach that encompasses the following key elements:

  • Conduct a thorough data audit to identify all personal data collected, processed, and stored, mapping data flows to understand how data is used and shared.

  • Define clear, specific, and legitimate purposes for each processing activity, ensuring that data collection is strictly limited to those purposes.

  • Implement data retention policies, specifying how long personal data will be stored and when it will be securely deleted, in accordance with applicable laws and regulations.

  • Prioritise data security by implementing data security measures to protect personal data from unauthorised access, use, or disclosure.

  • Provide relevant role-based employee education and training to ensure that all employees understand data protection principles and requirements, especially in this context, data minimisation practices.

  • Embed data protection by design and by default, integrating data protection principles into the design of all new products, services, and business processes.

  • Make use of privacy-enhancing technologies (PETs) such as anonymisation, pseudonymisation, and differential privacy to minimise the amount of personal data processed while still enabling valuable insights. Be aware you need to also have the right competences in your companies to work with these technologies. The UK’s ICO highlights this in it’s very useful guidance.

  • Finally, promote algorithmic efficiency by using techniques such as feature selection, dimensionality reduction, and model compression to create leaner and more efficient algorithms and models, reducing energy consumption.

Data minimisation is far more than a mere legal compliance exercise, it is a fundamental ethical and environmental imperative. In my unwavering conviction, companies that fail to embrace data minimisation are not only exposing themselves to significant legal and reputational risks but are also actively undermining global efforts to build a sustainable digital future.

The time for complacency is over. Companies and public sector bodies must recognise the environmental consequences of unchecked data growth and take decisive action to minimise their data footprint. By embracing data minimisation, they can create a more sustainable, resilient, and equitable digital ecosystem that protects both the rights and freedoms of individuals and the health of our planet.

Frequently Asked Questions #

What is data minimisation under the GDPR? Data minimisation is a core principle set out in GDPR Article 5(1)(c). It requires that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. In practice, this means organisations should only collect and retain the personal data they genuinely need for a specific, documented purpose — and delete it when that purpose is fulfilled.

How does data minimisation reduce environmental impact? Storing less data means fewer servers, less energy consumed by data centres, fewer hardware upgrades, and less e-waste. Data centres are significant consumers of electricity for both processing and cooling. By retaining only necessary data and implementing proper deletion policies, organisations directly reduce their energy demand, extend hardware lifecycles, and generate less obsolete equipment that contributes to the global e-waste crisis.

Is there a link between data minimisation and data security? Yes. A smaller data footprint reduces the attack surface available to cybercriminals. Organisations that hold less personal data face lower impact if a breach occurs — fewer data subjects affected, fewer categories of data exposed, and a more contained incident response. Data minimisation is therefore both a compliance measure under GDPR Article 5(1)(c) and a practical security strategy.

What are privacy-enhancing technologies (PETs) and how do they support data minimisation? Privacy-enhancing technologies include anonymisation, pseudonymisation, differential privacy, and synthetic data generation. They allow organisations to derive useful insights from data while reducing or eliminating the processing of identifiable personal data. The UK ICO has published detailed guidance on PETs for organisations looking to implement them as part of a data minimisation strategy.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts