Section 7(c) of the Digital Personal Data Protection Act (DPDPA), 2023, requires that a Data Fiduciary processes only the minimum necessary personal data for a specified purpose. But in practice, how can organizations determine what is "necessary" and ensure they are not collecting excessive data? Are there industry standards, guidelines, or best practices that help define and enforce data minimization?
For instance, if an e-commerce platform collects user addresses for delivery but also stores additional demographic details, would that violate the principle of minimal processing? How do organizations document their decisions on data necessity to avoid compliance risks? If you have insights, frameworks, or case studies to share, please contribute.