Data Minimization
The principle that organizations should collect, process, and retain only the minimum amount of personal data necessary to fulfill a specific, stated purpose. Data minimization limits exposure risk by ensuring unnecessary data is never gathered in the first place.
Data minimization is a foundational privacy principle enshrined in GDPR Article 5(1)(c), which states that personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. This principle shifts the default from collecting as much data as possible to collecting only what is genuinely needed. It applies not only to the initial collection of data but also to ongoing retention — data that was once necessary may become excessive if the original purpose has been fulfilled.
The practical implications of data minimization extend across every stage of the data lifecycle. During system design, it means building forms and APIs that only request essential fields. During processing, it means limiting the data shared between internal systems or with third parties to what is strictly required. During storage, it means implementing retention policies that delete or anonymize data when it is no longer needed. ISO 27001 supports data minimization through its information classification and handling controls, which require organizations to understand what data they hold and manage it appropriately. SOC 2's Privacy criteria directly reference the collection limitation principle.
For technology companies, data minimization has both compliance and practical benefits. Reducing the volume of personal data collected and stored directly reduces the impact of a potential data breach, lowers storage costs, simplifies data subject access requests, and makes cross-border data transfer compliance more manageable. Organizations implementing data minimization should conduct data mapping exercises to identify what personal data they collect, evaluate whether each data element is truly necessary, implement technical controls that enforce collection limits, and establish automated retention and deletion schedules. Privacy-enhancing technologies such as pseudonymization, aggregation, and differential privacy can also support data minimization by reducing the identifiability of data while preserving its analytical utility.
Related terms
Data Controller
Under GDPR, the entity that determines the purposes and means of processing personal data. The data controller decides why personal data is collected and how it will be used, and bears primary responsibility for compliance with data protection obligations.
Data Protection Impact Assessment
A structured process required by GDPR for assessing the potential impact of a data processing activity on individuals' privacy. DPIAs are mandatory when processing is likely to result in a high risk to the rights and freedoms of natural persons.
Privacy by Design
An approach to system engineering and business practices that embeds privacy protections into the design and architecture of IT systems, processes, and products from the outset, rather than adding them as an afterthought.
Purpose Limitation
The principle that personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those original purposes.
Right to Erasure
A data subject's right under GDPR (Article 17) to request the deletion of their personal data when it is no longer necessary, when consent is withdrawn, or when the data was unlawfully processed. Also commonly known as the 'right to be forgotten.'
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment