# Data Minimization and Purpose Limitation One-sentence definition: Collect and process only the minimum data necessary for a stated purpose. ## Key Facts - Reduces breach impact and compliance burden. - Requires purpose documentation and periodic review. - Supports privacy by design/default in systems. - Use aggregation, masking, and deletion workflows. - Align access roles with actual need-to-know. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose design that enforces least data collection/retention. **Mnemonic:** “Less data, less risk.” ## Mini Scenario Q: App requests date of birth when only age bucket needed—fix? A: Collect only bucket; update forms and API. ## Revision Checklist - Define minimization and purpose limitation. - Give two technical enforcement examples. - Link to risk reduction. ## Related [[Privacy Principles and Data Protection]] · [[Data Classification Levels and Handling Rules]] · [[Pseudonymization vs Anonymization]] · [[Tokenization]] · [[Access Control to Data Assets]] · [[Domain 2 - Index]]