Data minimization is one of the most important principles your business can follow to respect user data – and comply with global privacy laws. Follow along to see the basics of how to implement minimization in your data operations.
Data minimization is a principle enshrined by General Data Protection Regulation (GDPR) and Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) that requires organizations to limit the amount and type of personally identifiable information that they process to the minimum of what is necessary to achieve their purposes. It’s also a principle set to become enshrined in US privacy law too; the CPRA, or “CCPA 2.0”, contains directives relating to data minimization, to be voted on in November 2020.
Data minimization means that a company must limit the personal data that it collects, stores and uses to only include data that is relevant, adequate and absolutely necessary for carrying out the relevant business purpose. They should also, therefore, ensure that data is erased from their systems once it is no longer deemed necessary.
These principles are straightforward to understand, but they can be challenging to implement in large organizations with complex technical infrastructure. In this article, we’ll show how to implement basic data minimization processes for any size of team. First, though, we’ll show you why it matters.
In order to comply with existing data privacy law and respect the principle of data minimization, there are two key steps that your organization should undertake.
First, critically assess how your company currently collects, retains and manages access to personally identifiable information. Here are the questions you need to ask:
Every piece of data that a company collects should be referenced in your data map along with the specific business purpose for collecting it. This ensures that the principle of data minimization is continually adhered to, and that an auditable log exists for compliance purposes. For example, any time your marketing or sales team begins collecting new personally identifiable information from a campaign that they’re running, you should make sure that it is logged in your organization’s data map along with the specific purpose for which it will be used.
As part of your data map, you should have a record of the different types of data that your company collects and processes, along with the individuals or teams that have access to that data. You should also include a record with justification for the individual or team having access to it. For example, the finance person responsible for payroll will need access to employee salary data. The entire finance team does not need access unless it is necessary for them to fulfill their individual duties.
Once you have an overview of the personal data that your company processes and the individuals or teams that should have access to it, you will then need to make sure that you have a system in place to manage access privileges on an ongoing basis. In reality, people often move teams or their role changes within an organization. There will be shared platforms teammates use to collaborate which can inadvertently become a point of data seepage.
You’ll need to implement a solution that enables the secure management of data access privileges across your organization. Such a solution enables data access to be limited so that only specific applications or specific individuals have access to specific fields of data required for a specific business process. This system should also inform the person managing access privileges as to whether or not the user has provided consent for their personal data to be used for a defined business purpose. This ensures that the user’s privacy and personal rights are kept top of mind for all business operations.
Indefinitely retaining every piece of data that your company collects is both inefficient and contrary to the principles of data minimization. Instead, your organization should periodically review the data that it processes and erase anything that is no longer necessary to fulfill the purpose that it was originally collected for. You should only retain personally identifiable information if it is required to fulfill a pre-specified purpose and should not retain data on the off-chance that it might be useful in the future unless it is reasonably justifiable. For example, you may collect information on potential candidates for an interview process but once candidates are removed from the process, their data should be deleted.
Your company should have a procedure in place to regularly review the data it retains. It should set a data retention schedule, i.e. a period of time for which it will store each data type that it processes, as part of its data map and erase any data when it is no longer deemed necessary. You should also consider implementing an automated solution that deletes certain data at predefined periods so as to make this process less onerous and much more efficient.
|Data Type||Reason for processing||Explicit permission to process||Team(s) with access privileges||Retention period||Reason for retention period|
|Prospective customer emails||To promote company services||Yes – requested annually||Sales; Marketing||12 months||To continue to promote company services unless customer opts out before retention period expires|
|Customer phone numbers||To provide customer support||Yes – requested annually||Customer Support||As long as the individual remains a customer or 6 months thereafter||To provide support to customer and to settle account if customer leaves|
|Employment contract data||Legal purposes||Yes – requested during onboarding||HR; Recruiting||5 years||Legal obligation|
|Unsuccessful candidate resumes||For assessing fit for open positions||Yes – requested during application||Recruiting||12 months||Likely to contact candidates for future positions|
|Employee salaries||Filing company tax returns; completing payroll||Yes – part of employment contract||HR; Finance||10 years||Legal obligation; Completing payroll|
There are many elements involved in the collection, access, and retention of personal data that all need to be considered in order to satisfy data privacy laws around the world. The right system is efficient and empowering. The wrong system is onerous, patchwork, and can ultimately lead to large punitive fines. Data minimization represents perhaps the most important differentiator between these two kinds of systems. If you’re looking to implement data minimization that’s painless and automatic for your business, check out Ethyca’s seamless compliance software.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo