Data minimization is one of the seven core principles of GDPR (Article 5(1)(c)): personal data shall be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
The principle has three practical edges:
- Adequate. Enough data to achieve the purpose. Collecting too little can also be a problem if it leads to inaccurate decisions.
- Relevant. Each field has to relate to the purpose. Collecting a date of birth "in case it's useful" doesn't pass.
- Limited to what is necessary. Necessity is a high bar — could you achieve the same purpose without this field?
How it shows up in vendor work
Most data-minimization failures aren't dramatic. They look like:
- An analytics SDK collecting full IP addresses when truncated IPs would suffice.
- A CRM keeping email addresses for inactive contacts indefinitely.
- A support tool ingesting full chat transcripts when redacted summaries would do.
- A vendor's product documentation describing "all customer data" being copied to a staging environment for "debugging purposes."
When you onboard a vendor, the lawful-basis question and the data-minimization question are joined: what data does this vendor actually need to deliver the service, and is that all you're handing it?
When you monitor a vendor over time, scope creep is the risk to watch. A vendor that started collecting four fields and now collects fourteen has changed your privacy posture even if they updated their privacy policy to disclose it. Catching that requires actually reading the changes.