Skip to content

The term “data minimization” generally refers to two requirements within the GDPR: (1) a company should only collect and process personal data that is “necessary” in relation to its purpose, and (2) a company should keep data for “no longer than is necessary for [that] purpose[].”[1] Put differently, a company should only collect what it needs, and keep it for as long as it needs it.

Data is typically added to an AI to explain a problem, situation, or request (“input data”). Some popular AI models refer to input data by the term “prompt” as the user is prompting the AI to initiate an action, or to create additional information. Prompts can take different forms such as text prompts or image prompts, and they may, or may not, contain personal information. If a prompt contains personal information, then pursuant to the GDPR, a controller should consider what is the least amount of personal information needed for the AI to understand, and process, a request. Providing the least amount of information needed helps to satisfy the GDPR’s data minimization requirement. If the organization providing the prompt has discretion regarding how the AI will utilize and store input data (i.e., is it the controller of the information maintained by the AI), the organization should also configure the AI to store input data for the least amount of time needed for the AI to complete its processing activity. In other words, the organization should not allow the personal information to stay within the AI for longer than necessary.

[1] GDPR, Article 5(1)(c), (e). Note that under the GDPR the term “data minimization” is sometimes used to refer to minimizing the collection of information and the term “storage minimization” is used to refer to minimizing the retention of information.