Data Minimization
The privacy principle of collecting and retaining only the personal data actually needed, for only as long as needed, to reduce risk and cost.
Data minimization is the principle that an organization should collect, use, and keep only the personal data it genuinely needs — and no longer than necessary (a related idea called storage limitation). It is a cornerstone of modern privacy frameworks, including the GDPR and the NIST Privacy Framework.
The rationale is that data you do not hold cannot be breached, misused, or demanded in litigation. Minimizing personal data therefore reduces breach exposure, compliance burden, discovery cost, and storage cost at once. Data minimization maps directly onto good records management: a retention schedule that limits how long PII is kept and ensures timely disposition is, in effect, a data-minimization control. Over-retention is precisely what the principle guards against.