How to apply data minimisation and storage limitation rules

Person at an office desk reviewing a printed checklist next to an open laptop
TL;DR

Data minimisation and storage limitation turn into practice as one loop. Decide what personal data you genuinely need to collect, decide how long each store keeps it, and keep evidence that deletion happens. Four artefacts prove the loop is running, a data inventory, a purpose per category, a retention rule per store, and deletion logs. A firm of under fifty people can build the first version in an afternoon using tools it already pays for.

Key takeaways

- Data minimisation and storage limitation run as one loop, decide what to collect, decide how long to keep it, and keep evidence of both decisions. - The ICO looks for four artefacts, a data inventory, a purpose per data category, a retention rule per category or store, and proof of deletion. - A firm under fifty people can build a workable data inventory in one afternoon by working function by function with ICO-style questions. - Retention rules belong at the level of stores, not individual records, and Microsoft 365 and Google Workspace can automate the deletion. - AI prompts, outputs and training data are stores in their own right and need the same purpose, retention and deletion treatment.

An office manager at a twenty-person services firm has done the reading. They know what data minimisation means, they agree with every word of the storage limitation principle, and they have told the owner it will be handled. It is now Wednesday, the promise falls due on Friday, and none of the guidance says what to do first.

Here is the honest answer. The two principles turn into practice as a single loop. Decide what you genuinely need to collect, decide how long you need to keep it, and be able to prove that both decisions exist. A firm that can show the loop running beats a firm with a beautifully worded policy it never applies. Everything below is about getting the loop started this week.

What does applying these principles actually involve?

Applying data minimisation and storage limitation comes down to four artefacts the ICO’s guidance keeps pointing at. A data inventory showing what personal data you hold and where. A documented purpose for each category. A retention rule for each category or store. And evidence that deletion actually happens. If you can produce those four things, you are applying the principles.

The ICO’s accountability guidance is blunt on this point. Compliance has to be demonstrated rather than asserted, and for a firm of five to fifty people the documentation can be proportionate as long as it is, in the ICO’s words, granular and meaningful. The bar is a clear record of what data you process, why, where and for how long, plus proof that the rules get applied. Enterprise governance software does not come into it.

If the principles themselves are still fuzzy, start with the plain-English explainers on what data minimisation means and what storage limitation means, or the piece on how the two differ in practice. This post assumes the definitions and deals with the doing.

How do you build a data inventory in one afternoon?

Structure the afternoon around business functions rather than data types. Take staff management, customer delivery, marketing and finance in turn, and for each one record what personal data is used, why, where it lives, who it is shared with and how long it is kept. The ICO’s own documentation guidance recommends exactly this broad-to-narrow approach, and it fits a firm under fifty people comfortably.

Run it as a series of short conversations with whoever owns each function, and anchor every answer to a visible system. Payroll software, the CRM, shared drives, email, the ticketing tool, and any AI services staff have started using. For each system, work through the ICO’s own prompting questions. Why do you use personal data, who do you hold it about, what do you hold, who sees it, how long do you keep it, and how is it kept safe.

Capture the answers in a spreadsheet, one row per purpose, and aim for breadth over depth. A complete rough map of every system beats a perfect catalogue of one. Where nobody knows the answer, write down “unknown” and move on. The ICO treats this documentation as a living record, so gaps become follow-ups, and the unknowns tend to be where the real risk sits anyway.

Where does over-collection happen in practice?

Three places account for the bulk of over-collection in an owner-managed business. Forms that ask for more than the purpose needs, CRMs whose default fields invite hoarding, and AI tools that can reach everything a user can see. Each one is fixable in an hour or two once the inventory has told you what each collection point is supposed to be for.

Forms first. The ICO warns against collecting personal data on the off-chance it might be useful, so test every field against its purpose. A date of birth where an age bracket would do, a full postal address on an email-only newsletter, a mobile number on a form whose replies go out by email. Cut those fields or make them optional, and note the change in the inventory.

Then the CRM, whose default schema was designed for somebody else’s business. Compare what the system captures against the purposes you documented and switch off fields with no rational link. AI tools need the same check from a different angle. An assistant such as Copilot or Gemini can reach whatever the signed-in user can reach, so the fix is scoping, restricting which repositories the assistant sees and applying rights-management controls to sensitive files. Google’s own guidance confirms that IRM-protected files are excluded from what Gemini can retrieve.

How do you set retention rules without drowning in them?

Set retention rules per store, not per record. One rule for email, one for the CRM, one for HR files, one for shared project folders, each tied to the purposes that store serves. Then automate wherever the platform allows, so deletion happens on a schedule rather than depending on anyone remembering to tidy up. A handful of standard periods covers a firm of this size.

The platforms you already pay for do the heavy lifting. Microsoft 365 retention policies in Purview can retain and then delete content across Exchange, SharePoint and OneDrive, scoped per location, with the clock running from creation or last modification. Google Workspace does the same through Vault retention rules. Seven years for finance mailboxes, two years after last activity for project folders, and the deletion runs on schedule with a log to show for it.

Some systems have no retention engine at all. For a CRM or ticketing tool without one, the answer is a routine, a quarterly review that batch-deletes closed records past their period, with the date noted somewhere findable. Where a legacy system genuinely cannot delete, the ICO’s audit guidance accepts putting the data securely out of reach or anonymising it. The logs and notes from all of this become your fourth artefact, the evidence of deletion.

How does AI use change the calculus?

AI tools add three new places where data accumulates. Training data, the content an assistant can reach, and the prompts and outputs themselves. Each needs the same treatment as any other store, a documented purpose, a retention rule and a way to show deletion, and each is easy to miss because none of them looks like a filing system.

Training first. If a vendor offers to fine-tune or adapt a model on your content, decide what is excluded before anything is ingested. HR files, complaints and anything touching special category data stay out unless there is a documented reason to include them. Then retention inside the tools. Google Workspace administrators can set how long Gemini prompts and responses are kept and can audit which files the assistant touched, so treat prompts as a category in the inventory with a deliberately short retention period.

The harder risk to see is scope creep. A staff member pasting a grievance or a customer complaint into a chat tool has started a new processing activity nobody assessed. Set plain boundaries on what AI can be used for, and when a tool starts shaping decisions about individuals, you are into DPIA territory, which is a different exercise from this one. The wider picture across UK GDPR and the EU AI Act is covered in the data retention rules for AI piece.

So the Friday answer has three parts. Book the inventory afternoon and run it function by function. Fix the single worst over-collection point the inventory reveals, usually a form or a CRM field set. And turn on one store-level retention rule in email or file storage, keeping the log it produces. That is the loop running in miniature, and once it exists, everything else is refinement rather than a standing start. The beautiful policy can wait. The evidence cannot.

Sources

- Information Commissioner's Office (2023). Data minimisation, a guide to the data protection principles. The requirement that personal data be adequate, relevant and limited to what is necessary, and the warning against collecting on the off-chance. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/data-minimisation/ - Information Commissioner's Office (2023). Storage limitation, a guide to the data protection principles. The obligation to set, justify and act on retention periods, and to erase or anonymise data once it is no longer needed. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/storage-limitation/ - Information Commissioner's Office (2023). How do we document our processing activities? Documentation guidance recommending business-function-first data mapping, the prompting questions used in the inventory afternoon, and treating the record as a living electronic document. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/how-do-we-document-our-processing-activities/ - Information Commissioner's Office (2024). Records management checklist, data protection self assessment. Expectations on assigned responsibility, disposal procedures and measuring deletion against retention schedules. https://ico.org.uk/for-organisations/advice-for-small-organisations/getting-started-with-gdpr/data-protection-self-assessment-medium-businesses/records-management-checklist/ - Information Commissioner's Office (2024). Data minimisation toolkit, artificial intelligence, data protection audit framework. Deletion in line with retention schedules, storing data securely out of reach where deletion is impossible, and audit trails as evidence. https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/toolkits/artificial-intelligence/data-minimisation/ - Information Commissioner's Office (2025). Guidance on AI and data protection. Fairness, individuals' reasonable expectations and minimisation obligations when personal data feeds AI systems. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/ - National Cyber Security Centre (2024). Cloud security collection. The shared responsibility model, under which the customer configures retention, access and data use on cloud platforms. https://www.ncsc.gov.uk/collection/cloud - Microsoft (2025). Learn about retention policies and retention labels, Microsoft Purview. Store-level retain-and-delete automation across Exchange Online, SharePoint and OneDrive, with retention clocks from creation or last modification. https://learn.microsoft.com/en-us/purview/retention - Google Workspace (2023). Enterprise security controls for Gemini in Google Workspace. Admin control over what Gemini can access, IRM exclusions, prompt and response retention settings, and Gemini audit logging. https://workspace.google.com/blog/ai-and-machine-learning/enterprise-security-controls-google-workspace-gemini

Frequently asked questions

What records does the ICO expect a small firm to keep for data minimisation and storage limitation?

Four things in practice. An inventory of what personal data you hold and where it lives, a documented purpose for each category, a retention rule for each category or store, and evidence that deletion happens, such as logs from retention policies or notes from manual weeding. The ICO's accountability guidance says documentation can be proportionate to your size, but it must show the principles being applied, not just written down.

Do we need special software to apply storage limitation?

No. Microsoft 365 and Google Workspace both include retention controls that can delete content automatically after a set period, scoped to mailboxes, sites or drives. Purview retention policies handle it on the Microsoft side and Vault retention rules on the Google side. For systems without automation, such as many CRMs and ticketing tools, a documented quarterly deletion routine does the same job. The important part is that the rule exists and leaves evidence.

How do AI tools affect data minimisation and storage limitation?

They add new places where personal data collects. Assistants like Copilot and Gemini can reach whatever the signed-in user can see, prompts and responses are stored with their own retention settings, and vendor training can ingest content you never meant to share. Treat AI tools as stores in your data inventory, restrict what they can access, exclude sensitive repositories from training, and set short retention on prompt history.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation