[PeterisP]

It certainly is related. One core argument is that the vast majority of currently stored personal data has no good reason whatsoever to be there, the company should not be collecting, using and storing any personal data.

If half of the companies remove that private data which they shouldn't have, then that will reduce the impact of breaches, as there'll be twice less breaches where's something sensitive to leak.

[aeorgnoieang]

I can't think of massive leaks that involved data that wasn't 'legitimate'. What's your go-to example?

[PeterisP]

No particular single example in mind, but just going through random large leaks:

The Republican National Committee leak (https://gizmodo.com/gop-data-firm-accidentally-leaks-persona...) - all the involved companies which swapped data records to make up this trove would not have had the permission to have much of that data under GDPR.

World Wrestling Entertainment 2017 leak - the leaked data included home and email addresses, birthdates, as well as customers' children's age ranges and genders where supplied, and even ethnicity; there's simply no reasonable reason why they should have had data like that in the first place. It it hadn't be collected, it couldn't have been leaked.

Joblink breach (https://www.identityforce.com/blog/americas-joblink-data-bre...) leaked among other things birthdate and social security number. There's no good reason to ask the birthdate in the first place, and to store the social security number after you've run whatever verification they do (presumably it gets used for background screening).

The big point is that almost always data minimization would have reduced the consequences. Companies keep old data forever, and that creates extra risk; Companies ask for and store more data than they need and that creates extra risk; Companies buy and sell data that shouldn't be bought and sold, and so the data copied in multiple organizations and again, creates extra risk.