Skip to content
Vol. I · No. 251
Mon · 8 Jun
A Daily Lexicon of Trustworthy Data
No. 244
244·01 · Business Sense RequiredNo. 244 · 22 May 2026 · 2 min

Privacy law says keep less. The model says keep everything. Nobody wrote down what "it" is.

Minimization is a sentence about purpose. Most firms never finished the sentence.

EvidenceThe EditorReality Tax

Two mandates now sit in the same architecture diagram and refuse to make eye contact. One says collect only what you need. The other says feed the model and let posterity sort it out.

Data minimisation is neither new nor vague. GDPR Article 5(1)(c) requires personal data be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed." The UK kept the identical wording. The rule rests on one phrase doing the work: the purpose. Minimisation answers a question the organization was supposed to have already asked.

Then the model arrived hungry, and the house rule became keep everything in case. Privacy professionals describe the collision politely: large training sets sit in open tension with a stated purpose, and once data is fused into model weights, deleting it can mean retraining, not a delete button. The principle assumes you can name a purpose; the engineering assumes you would rather not.

Here is the part the steering committee skips. You cannot minimise against a purpose you never defined, nor honor a retention limit on a field nobody owns. "We might need it for AI" is the absence of a purpose, wearing a roadmap. The conflict everyone frames as privacy-versus-innovation is usually definition-versus-nothing. The law did not create the tension; it exposed a blank purpose statement.

Watch which function gets handed the contradiction. It lands on the steward or privacy lead, asked to build a retention schedule for data whose purpose and owner were never written down. That is the reality tax: the cost of skipping the boring sentence. Before the next model eats the warehouse, finish the clause beginning "the purpose of this data is."

The takeaway

You cannot minimize what you never agreed to define or own. Write the purpose before you write the retention rule.

The claim, mapped

  1. GDPR Article 5(1)(c) requires personal data to be adequate, relevant and limited to what is necessary for the stated purpose — the data minimisation principle.

    supports01

  2. Privacy commentary describes a genuine tension between data minimisation and AI systems that ingest large datasets and can retain personal data in model weights.

    supports02

  3. Minimisation is undefinable when an organization has never named the processing purpose or the owner of a data field.

    context0102
Sources
01
legislation.gov.uk — Regulation (EU) 2016/679 (UK GDPR), Article 5 — Principles relating to processing of personal data2016-04-27 · Tier 1 · primaryArt. 5(1)(c): personal data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)."
02
IAPP — A deep dive into Europe's approach on personal data processing in AI systems2024-11-13 · Tier 2 · analystFrames the friction between GDPR principles and large training sets: models not designed to process personal data can still inadvertently store or reveal it (paraphrased).
Mark this entry
Marginalia · 0 notes

No notes yet. The margin is open.

Sign in to add a note. The margin is moderated — we keep it useful, not cruel.

Related entries
Business Sense Required
New AI rules ask you to govern data you never classified. The bill comes due first.

The obligation assumes an inventory the organization skipped. The inventory is the project.

Process Debt
10 Million Student Records, One Login Nobody Deprovisioned

The FTC's fix for an ed-tech breach wasn't more storage. It was a retention schedule someone has to own.

Owner Missing
The €15M Privacy Fine That Collapsed Because Nobody Owned It

Europe's first big AI-training fine got voided. Not for being wrong — for being orphaned.