Data minimisation is one of the core principles of the GDPR (Article 5(1)(c)), requiring that personal data collected and processed must be adequate, relevant and limited to what is strictly necessary for the stated purpose. This means organisations must critically evaluate each data field they collect and be able to justify why it is needed, rather than gathering data speculatively or "just in case".
In practice, data minimisation reduces an organisation's attack surface and limits the potential impact of a data breach, since less data means less exposure. It also simplifies compliance with other GDPR obligations such as storage limitation and data subject access requests, and builds trust with customers who are increasingly aware of how their data is used.