The GDPR introduced the data minimization principle which limits the data controller to collect, store and use only personal information that is necessary to provide service or fulfill a specific purpose.
The GDPR states:
“Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”
Put the data minimization principle in practice on your data collection points and make sure the data subject is notified of who collects data, how is his/her personal data used, how long will you keep the data, and are there any third-parties included in the processing.
If you are a data controller follow these 2 guidelines before collecting data, ask yourself:
✅Can you achieve the purpose without collecting the data?
✅Is your data collection limited to collect only that information that is strictly necessary for you to provide your service or purpose?