Why Data Minimization Can Help You Comply with Privacy Regulations

By Nick Inglis, Director of Information Governance at IPRO

Data minimization is an operating principle that suggests an organization should only collect and utilize the minimum required data (MRD) to fulfill business operations. This principle of keeping only what we need is now enshrined in privacy legislation and is rapidly becoming a prevalent practice. A data minimization approach is likely a shift from previous methods of data collection.

Data minimization projects can start in many ways. An information security incident may have been your prompt. While others may be looking to improve efficiency by removing redundant, obsolete, or trivial information that serves no business value. Yet others may simply be looking to reduce their storage footprint (I’m looking at you, Marie Kondo adherents).

But for many organizations, ensuring that their organization meets all the requirements in a new piece of privacy legislation has been a huge cue for many organizations to begin a data minimization initiative.

We outlined several of these regional privacy regulations in a previous post. However, privacy legislation, where it exists, varies pretty wildly – but is changing rapidly.

Some pieces of privacy legislation deal with particular industries. For example, the Alberta Personal Information Protection Act (APIPA) applies to physicians, dentists, veterinarians, and other health professionals in the province of Alberta, Canada.

Personal information protection legislation in America, however, is more fragmented and nascent. Some states have developed privacy legislation (California, Nevada, Virginia), while may others continue to work on it.

In addition to legislation specific to a country or region, the Organization for Economic Co-operation and Development (OECD) has published ‘Privacy Guidelines’ that have provided recommendations on collecting and using personal information to facilitate smoother cross-country trade.

The Time is Now for Data Minimization

To grapple with the legislation we already face and that we’re likely to meet soon (US federal privacy legislation is very likely to arrive shortly), many organizations are preparing by enacting privacy programs or adapting their privacy programs to the modern era.

One of the pieces of a modern privacy program is establishing your organization’s approach to data – and then following that approach to transform the organization’s existing data (or, in the very least, the approach to collecting new data). Once you’ve established your organization’s approach to data, ensure that you’ve updated your privacy policy according to what you hold and what you will collect going forward.

In light of this, one should adopt data minimization as a broad principle of an organization’s privacy policy – and that includes following the approach to collecting new data. Honoring the principles and procedures established in an organization’s privacy policy allows for a smooth, systematic approach to protect personal information under the law.

Data minimization is not only about privacy, but privacy informs the need for data minimization. Data minimization is really about efficient data management practices. These new approaches may change your existing data management practices, but new directives in legislation and new emerging technologies create the requirement. The need for more efficiency across organizational data has become increasingly important.

Best Practices for Data Minimization

An essential step in the data minimization process is inventorying the amount of personal information you’re holding, where and how it’s stored, and who uses it. This examination ideally will be conducted with data within the organizational scope of control (i.e., information/data of interest for managing operations or conducting business). Still, the intent is to examine data storage practices to determine where and how it is stored.

For this, you should work collaboratively across your organization with all relevant stakeholders. Relevant stakeholders often include representative leaders in privacy, security, information management, legal, IT, risk, and compliance.

In this process, deciding what to keep, how long to keep it, and where to put it are important questions to answer. Fortunately, there have been professionals in your organization who have been answering those questions for decades – records and information managers. While frequently overlooked for a time, records and information professionals were historically the keepers of organizational information (before technology moved many of those tasks to IT). Today, the records and information managers’ stature appropriately returns to historic levels as those professionals become more involved in privacy, data minimization, and overall information governance projects.

Data minimization should include related discussions on the proper scope of what information to collect, what data is acceptable, and how an organization will handle questions concerning the data. And it refers not just to that which we keep but also applies to collecting new information.

The process may seem complex, and the project itself can become complicated if poorly managed, but the process is relatively simple. It all begins with finding out what is there, where it is, and who uses it. While running your data minimization project, you must keep the primary goal of collecting and retaining only the information that you need and nothing more.

Data minimization projects don’t only teach us a good lesson in business, but in life: only keep what you need. Marie Kondo couldn’t have said it better.

IPRO offers solutions that help organizations with data minimization by enabling them to locate and remove redundant, obsolete and trivial information across their data repositories. Check out this video to learn more.