The GDPR principle that personal data collected must be adequate, relevant, and limited to what is necessary for the purpose.
Data minimization requires that an organization collects and keeps only the personal data it genuinely needs for a defined purpose, and no more. It pushes back against the habit of gathering data just in case it might be useful later.
Applying it reduces both privacy risk and the impact of any breach, since data that is never collected cannot be exposed.
Related frameworks
KaitoSec