← Glossary·Privacy

Data Minimisation

GDPRHIPAA

GDPR Art. 5(1)(c) principle: personal data must be adequate, relevant, and limited to what is necessary.

Data minimisation requires that personal data collected and processed be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed (GDPR Art. 5(1)(c)). HIPAA's Minimum Necessary Standard is the analogous concept.

Why it matters
Over-collection is the single most common GDPR finding — particularly in HR, support, and ‘analytics’ tooling. Trimming fields at the form level is far cheaper than retroactive purging.

Related terms

Personal Data (GDPR)
Any information relating to an identified or identifiable natural person (data subject) — Art. 4(1).
Minimum Necessary Standard
HIPAA principle (45 CFR §164.502(b)) requiring use/disclosure of only the minimum PHI needed for the purpose.
Purpose Limitation
GDPR Art. 5(1)(b): personal data must be collected for specified, explicit, legitimate purposes and not further processed incompatibly.

Does your program actually cover Data Minimisation?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary