Data minimization is a core GDPR principle (Art. 5(1)(c)): personal data may only be collected when it is genuinely necessary for the stated processing purpose. “As much as needed, as little as possible” summarizes the idea.
In practice this means: forms contain only required fields, log files are pseudonymized, and retention periods ensure that data no longer needed is deleted. Data minimization reduces both the attack surface and liability risk at the same time. Within an ISMS it counts among the organizational measures that strengthen both data protection and information security.