Skip to main content

How can your organisation move to ZKP? An expert answers

Many organizations are realizing they're collecting more customer data than necessary. From birth dates to full addresses, much of the information they gather ends up unused, yet still generates compliance costs and increases risk exposure.

Gartner reports that nearly 97% of data within organizations sits unused, meaning the time and resources spent acquiring, securing, and storing this data are significant, while the cost of failing to utilize it is enormous. Similarly, nearly 30% of servers worldwide remain unused, representing roughly 10 million dormant serversand about $30 billion in idle capital.

This is why data minimisation is gaining traction in organisations, whereby customers are only asked for the essentials and nothing more. By switching to attribute-based verification (for example, a simple yes/no to confirm if someone meets certain criteria), companies radically simplify their data landscape.  

With technologies like zero-knowledge proof (ZKP), companies can verify single attributes, such as whether someone is over 18 years, without storing their personal details. This is exactly what itsme Qualify is designed to do. It enables businesses to apply zero-knowledge proof in practice, starting with age verification and expanding soon to other attributes.  

In this Q&A, Product Manager at itsme Pierre Naveau shares practical steps for organisations to move away from traditional data-heavy processes towards leaner, privacy-first verification methods.

What are the first steps for companies looking to minimise the personal data they store?  

Pierre Naveau, Product Manager at itsme: The first step is to map their data requirements to identify which information is truly essential. At this stage, they should question every assumption. For example, many organisations think that they need a customer’s full date of birth to verify age. In reality, many times they just need to know if the user is over or under a certain age. That’s where data minimisation begins, collecting only the level of detail that you require.  

If a company's current setup doesn’t allow only collecting essential data, then you’ll need to explore the market for alternatives. At that stage, it’s important to define the necessary level of data assurance. Do you need the highest level of certified data, or is self-declared information sufficient for your use case? Often, the answer lies somewhere in between.  

Granularity is another crucial point. For example, in the case of age verification, do you really need to know someone’s exact date of birth, or is it enough to know that they are above 18 or 21 years? Once you’ve mapped out both your data needs and the required level of certainty, you can begin identifying suppliers who can help provide exactly that. 

The list of possible ZKP providers will depend on your specific needs and regulatory requirements. Compliance teams are essential in determining this, as different sectors have different requirements. Legal and compliance teams can help product managers identify which information is mandatory and which is unnecessary.

What are examples of sectors that often over-collect user data? 

Pierre: An example of this is social media platforms. Many platforms ask for much more personal information than is truly needed to create an account. E-commerce is another good example. Retailers often think they need to do full identification on a user, including birth date, but that’s rarely the case. To deliver a product, you need a name and address. But even if you’re selling something age-restricted, you only need proof that the buyer is over 18, and not their full date of birth. By limiting collection in this way, companies reduce compliance risk and align with data minimisation principles. 

Learn more: Why is minimum disclosure becoming more top of mind for businesses? 

How can a company choose the right ZKP verification solution?

Pierre: There are generally two paths: build an in-house solution or work with an external provider. Building from scratch is technically possible, but for companies outside the identity business it usually makes no sense. It’s high cost, high risk, and requires ongoing expertise to stay compliant with new regulations. It would also create friction for users if they had to go through a full eID enrolment process on every site they visit. 

That’s why most companies turn to external providers. These solutions are designed for reuse across multiple services and are continuously updated to meet compliance standards. Increasingly, cryptography, particularly zero-knowledge proyeaof technologies, play a role here. They allow you to verify a specific attribute (for example, that a user is over 18 years) without revealing any other personal details. This supports both strong compliance and data minimisation. 

The list of ZKP providers you might consider will depend on your specific needs and regulatory requirements. The right choice ultimately depends on how you balance compliance obligations with business needs for efficiency, privacy, and user convenience. 

For example, if your priority is the highest level of compliance (such as verifying a person’s age against government-issued ID documents) itsme Qualify can deliver this with a yes/no response (e.g. confirming whether someone is over 18) while drawing directly on official sources.

If you are exploring more decentralised models, dedicated ZKP-based vendors such as Iden3 and PolygonID enable selective disclosure of attributes without sharing the underlying data. Larger platforms like Microsoft Entra Verified ID are also adopting ZKP techniques to support verifiable credentials across borders.  

Continue reading: From data act to eIDAS: The future of personal data sharing and ownership in the EU 

After a company chooses a ZKP partner, what happens next? 

Pierre: The first step is for the company to share which data they need, and at what level of granularity. At itsme, we check if we can provide that information and whether it aligns with the required compliance standards. For example, if a company asks for full birth dates but only needs to know whether someone is over 18, we guide them toward a more privacy-friendly solution. Once the scope is agreed, the process moves to commercial discussions, pricing, and finally technical integration, which is relatively straightforward.

What resources are needed on the client side for integration with a ZKP qualification tool? 

Pierre: Surprisingly few. Taking itsme Qualify as an example, on the front end, a client will just need to add a button like “Log in with itsme” or “Verify with itsme.” On the back end, some resources are required to fetch the requested data, but the flows are simple and rely on standardised technologies with technical components available off the shelf. Then there’s testing and deployment, which depends on the company’s internal processes. In practice, this typically involves the front-end team, some back-end developers, and quality assurance. If the partner’s deployment process allows, an integration can be completed in just a couple of days.

What should companies do with the old data they collected when moving to ZKP?

Pierre: This depends largely on regulatory obligations. Some industries require that certain data be stored for a defined period of time, but if the data is not strictly necessary, it should be deleted. Doing so not only lowers maintenance costs, but also reduces risk exposure, since less stored data means less that could be leaked or misused. In this context, studies show that KYC verification using ZKPs can reduce exposed user data by 97%.

What’s the added value of ZKP for end-users?

Pierre: One of the biggest advantages is transparency. Users can see exactly which data is being shared in an age check, and that they’re not handing over their information (such as their birth date), but instead just confirming that they’re within a certain age range. This transparency builds trust. Users feel confident that companies are not over-collecting or misusing their personal data. For businesses, that confidence translates into smoother adoption, fewer drop-offs, and stronger compliance with privacy regulations.

What’s the main takeaway for decision-makers interested in zero-knowledge proof? 

Pierre: Less is more. By applying data minimisation and using technologies such as zero-knowledge proof, companies can: 

  • Reduce compliance and security risks 

  • Simplify onboarding processes 

  • Strengthen user trust 

  • Save costs on data management 

The future of digital verification lies not in collecting more data, but in collecting only what’s necessary. 


itsme Qualify allows businesses to confirm specific attributes (such as age, residency, or proof of humanity) without requiring users to disclose their full identity. It applies ZKP verification and aligns with GDPR principles like data minimisation and storage limitation. Neither verification outcomes nor underlying personal data are stored, which reduces retention risks for both the provider and the relying service.

Choose your region