Data Minimization Strategies
The first line of Empty Fortress defense: strategies for collecting, processing, and retaining only what you strictly need.
The first line of Empty Fortress defense: strategies for collecting, processing, and retaining only what you strictly need.
Continue your mission
Data minimization is the practice of limiting data collection, processing, and retention to what is strictly necessary for a defined purpose. Within the Empty Fortress doctrine, it is the first line of defense: data you never collect cannot be breached.
Organizations accumulate data for three reasons: inertia (we always have), fear (we might need it someday), and aspiration (we'll analyze it later). None of these survive scrutiny. Inertia is not a strategy. Fear-driven hoarding creates more risk than it mitigates. Aspirational data collection rarely produces the insights imagined, but always produces the liability guaranteed.
Apply five questions to every data element: Do we need this to operate? Do we need this specific granularity? Do we need to store it, or can we process and discard? Do we need to store it here, or can it live in a more appropriate system? Do we need to store it this long?
Start with a data inventory. Map every data store, every field, every retention period. Flag anything collected without a defined operational purpose. Then apply progressive minimization: eliminate unnecessary fields, reduce granularity where possible (zip code instead of full address, age range instead of birthdate), shorten retention windows, and move sensitive data to purpose-built secure stores.
Data minimization is not just good security — it is increasingly the law. GDPR Article 5(1)(c) requires data minimization by design. CCPA grants deletion rights that are easier to honor when you hold less. HIPAA's minimum necessary standard applies the same principle to health data.
Data minimization is the cheapest security control you can implement because it removes the thing being attacked. Apply the five-question test to every data element. Regulatory compliance becomes dramatically simpler when you hold less data.
CDA Theater missions that address topics covered in this article.
Designing retention policies that enforce the temporal dimension of data minimization.
Finding and eliminating the data you didn't know you had — the hidden enemy of zero possession architecture.
Written by CDA Editorial
Found an issue? Help improve this article.