Data Minimization is a Privacy Responsibility

Highlights:

• What regulatory trends tell us about shifting data policy needs
• 4 ways Privacy can avoid the trap of “big data”
• The business advantage of minimization

Read more below.

Among the more daunting new compliance challenges facing privacy teams is the trend towards data minimization requirements in privacy regulations. Since the GDPR went into effect in 2018, other laws have followed its lead in imposing data minimization requirements. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has minimization requirements similar to GDPR, as does the California Privacy Rights Act (CPRA), effective January 1, 2023. And a number of U.S. states are modeling new privacy regulations on CPRA, as many countries are modeling privacy laws on GDPR.

Data minimization runs counter to today’s data-driven business model, so it won’t happen without leadership from privacy teams. The rapid expansion of digital business processes and opportunities, plus new data sources, from mobile devices to smart vehicles and appliances, are creating an explosion of data. At the same time, inexpensive computing power and compelling analytics are creating the temptation to gather all this data on the chance it will have business value.

To help their organizations achieve compliance, privacy teams will need to be agile: shaping data management policies, educating, and collaborating to help their organizations achieve and maintain compliance.

Aspects of Data Minimization

Data minimization has three major aspects that need to be considered in collecting and managing personal information:

• Use requirements: The GDPR says personal data that is collected must be adequate, relevant, and limited to what is necessary to the purposes for which it is processed. CPRA says it must be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed,” and PIPEDA has similar language. In other words, collect and share no more or less information than is needed for that specific business purpose. So, before collecting data, organizations need to define how they intend to use it.
• Notice and consent requirements: In addition to meeting user requirements, GDPR and similar laws require disclosure to the individual, at the time of collection, of how the data will be used and where it may be shared. (GDPR also requires explicit opt-in to collection. Other laws vary on opt-in vs opt-out requirements.) This means usage policies, processes, and user disclosures and opt-in/opt-out mechanisms must be in place before data collection begins.
• Data governance: If an organization wants to use personal data outside the defined, disclosed purposes and processes, they must first determine whether and how to either de-identify the data or notify the affected individuals and get their consent. Similarly, data should only be retained only as long as the original purpose is in effect. At that time, it needs to be securely destroyed or de-identified. (And any partners with whom the data was shared must do the same.)

Privacy teams have an important role to play in each of these areas.

Privacy’s Role in Data Minimization

In the abstract to a 2016 IAPP web conference, presenters lamented: “No matter what business we are in, we are all suffering from data overload. We create too much, store too much, and, most vexing of all, we can’t find a way to get rid of what we no longer need. More data means more problems; the hackers and data thieves couldn’t be happier.” Five years later, the verdict is in: the unbridled rush to “big data” collection is a trap.

Privacy teams must help to lead their organizations out of that trap and towards data minimization. And that means getting involved:

• Data mapping can be a good opportunity to fix compliance gaps. As privacy teams work with IT to develop and maintain data maps, they should review existing data to determine data minimization requirements. Is it still in use? Is the current use the same as the original use, and has the current use been disclosed to affected individuals? Have any opt-in requirements been met? Is it shared with partners, and are those partners complying with data minimization requirements?
• As new laws come into effect, privacy teams need to inform and educate IT and business managers about data minimization requirements and collaborate to review existing data collection and retention practices.
• Privacy teams need to help keep disclosure notices and opt-in/opt-out mechanisms current with regulatory requirements and help ensure partner agreements are kept up to date so that partners are following the same policies with any shared data.
• Privacy teams need to be part of business planning teams, so that new business initiatives are designed from the start to comply with data minimization, disclosure, and consent requirements.

As data minimization requirements expand to new jurisdictions, privacy teams will need bandwidth to advocate and collaborate. To free time and resources, teams may need to find efficiencies in other areas, such as by streamlining and automating the incident response process.

Data Minimization Pays Off

Working on data minimization is one way that privacy teams can have a direct impact on their organization’s top and bottom lines. Consumers are concerned about privacy, so disclosing and reassuring consumers about how their data will be used can actually be a business advantage. Of course, maintaining compliance helps avoid possible fines that cut into profits. And, because the only 100% risk-free data is the data you never collect, the more the privacy team can help minimize data collection, the lower the risk of breaches, breach response costs, and reputational damage, not to mention a lower cost for data storage and data management.

Data minimization may mean more work, but it is also a great opportunity for the privacy team to show colleagues and decision-makers how privacy is great for business.

You might also be interested in: