In an era where “data is the new oil”, companies find themselves struggling with a sustainable strategy. Companies routinely collect vast amounts of personal information but with this increased data collection comes the responsibility to handle it ethically and securely. One key principle in achieving this delicate balance is data minimization. While data provides tremendous value driving business decisions, it also presents challenges and risk.
Understanding Data Minimization
Data minimization is a privacy-enhancing practice (and one of the 7 principles of the GDPR) that involves collecting and processing only the data that is strictly necessary for a specific purpose. In essence, it’s about limiting the amount of personal information an organization gathers, retains and processes to only what is strictly necessary. This reduces the potential risks associated with data breaches, unauthorized access and misuse.
Benefits Of Data Minimization
Large-scale data stores can certainly benefit your company but they can also be a technical and regulatory liability. On the technical side, more data you have, the more it costs to store and access (compute). In the case of stale data, it becomes harder to identify a “source of truth” and more chances to provide inaccurate information. On the regulatory or compliance side, low value data really only causes risk for your company should you experience a security event. This adds up to risk without reward.
Transactional And Analytical Usage
For many reasons, minimizing your data footprint is wise. Once you’ve done that, is your work here done? Short answer: No. Longer answer, it’s a big step in the right direction but there is more to it. According to article 5(1)(c) of the GDPR, data minimization also means processing only what is strictly necessary. The intent of this principal is to prevent the misuse of data. That means using it for legitimate business reason consistent with the purpose for which the data was provided. A good example of this is reporting. There are limits (which will be another article) but in general, reporting is expected and in the normal course of running a business.
Building Trust With Consumers
Demonstrating a commitment to data minimization fosters trust with your customers. When individuals know that only strictly necessary information is being collected and that their privacy rights are being respected, they are more likely to award their business.
Practical Data Minimization Techniques
The first step in data minimization is gaining an understanding of what data you have. This is much easier said than done. Other than gaining support for data privacy within an organization, data mapping is probably the most difficult part.
- Data Mapping – This exercise will tell you where your data is and how much and what categories of data you have. It is also a very useful tool in identifying unused assets and duplication (you will be surprised).
- Data Cataloging – This is a practice of keeping a centralized inventory of data assets. Key benefits of this practice are the ability to see if data elements are being acquired more than once and tracking data lineage. This may not sound like it would help with minimization but indirectly, it does. In a large enterprise, if a data element is not correct or the best choice, finding another source might be needed. The catalog gives you the opportunity to know that you did and remove the old one.
- Retention Periods – Set a retention period for data held by your company to keep your footprint limited to only what is needed and presenting value. With your retention periods come programmatic eliminating of data according to a schedule.
- Privacy Enhancing Technologies (PETs) – Privacy tech is absolutely key to data minimization. Discovery and catalog tooling helps gain better understanding of your data estate. It also helps prevent sprawl as you grow and onboard new tech.
- Data Modeling – Using data models will help optimize the data used for a given purpose. They can also be used to inform the tuning of your ETL process. This will not only be a step toward achieving minimization but it will lower strain on your systems by leaning bloated queries. (And your data architects and engineers will love you)
Conclusion
While data minimization offers considerable benefits, accomplishing it can prove very difficult. Navigating legacy systems and competing priorities makes this even harder. Finding the right balance between collecting, retaining and processing enough data to drive business decisions while managing risk is no simple task. The investment in data minimization is required by many regulations but it is also key to scalable solutions, respecting privacy rights and preserving public trust.