Data minimization is one of the most important principles your business can follow to respect user data – and comply with global privacy laws. Follow along to see the basics of how to implement minimization in your data operations.
Data minimization is a principle enshrined by General Data Protection Regulation (GDPR) and Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) that requires organizations to limit the amount and type of personally identifiable information that they process to the minimum of what is necessary to achieve their purposes. It’s also a principle set to become enshrined in US privacy law too; the CPRA, or “CCPA 2.0”, contains directives relating to data minimization, to be voted on in November 2020.
Data minimization means that a company must limit the personal data that it collects, stores and uses to only include data that is relevant, adequate and absolutely necessary for carrying out the relevant business purpose. They should also, therefore, ensure that data is erased from their systems once it is no longer deemed necessary.
These principles are straightforward to understand, but they can be challenging to implement in large organizations with complex technical infrastructure. In this article, we’ll show how to implement basic data minimization processes for any size of team. First, though, we’ll show you why it matters.
In order to comply with existing data privacy law and respect the principle of data minimization, there are two key steps that your organization should undertake.
First, critically assess how your company currently collects, retains and manages access to personally identifiable information. Here are the questions you need to ask:
Every piece of data that a company collects should be referenced in your data map along with the specific business purpose for collecting it. This ensures that the principle of data minimization is continually adhered to, and that an auditable log exists for compliance purposes. For example, any time your marketing or sales team begins collecting new personally identifiable information from a campaign that they’re running, you should make sure that it is logged in your organization’s data map along with the specific purpose for which it will be used.
As part of your data map, you should have a record of the different types of data that your company collects and processes, along with the individuals or teams that have access to that data. You should also include a record with justification for the individual or team having access to it. For example, the finance person responsible for payroll will need access to employee salary data. The entire finance team does not need access unless it is necessary for them to fulfill their individual duties.
Once you have an overview of the personal data that your company processes and the individuals or teams that should have access to it, you will then need to make sure that you have a system in place to manage access privileges on an ongoing basis. In reality, people often move teams or their role changes within an organization. There will be shared platforms teammates use to collaborate which can inadvertently become a point of data seepage.
You’ll need to implement a solution that enables the secure management of data access privileges across your organization. Such a solution enables data access to be limited so that only specific applications or specific individuals have access to specific fields of data required for a specific business process. This system should also inform the person managing access privileges as to whether or not the user has provided consent for their personal data to be used for a defined business purpose. This ensures that the user’s privacy and personal rights are kept top of mind for all business operations.
Indefinitely retaining every piece of data that your company collects is both inefficient and contrary to the principles of data minimization. Instead, your organization should periodically review the data that it processes and erase anything that is no longer necessary to fulfill the purpose that it was originally collected for. You should only retain personally identifiable information if it is required to fulfill a pre-specified purpose and should not retain data on the off-chance that it might be useful in the future unless it is reasonably justifiable. For example, you may collect information on potential candidates for an interview process but once candidates are removed from the process, their data should be deleted.
Your company should have a procedure in place to regularly review the data it retains. It should set a data retention schedule, i.e. a period of time for which it will store each data type that it processes, as part of its data map and erase any data when it is no longer deemed necessary. You should also consider implementing an automated solution that deletes certain data at predefined periods so as to make this process less onerous and much more efficient.
|Data Type||Reason for processing||Explicit permission to process||Team(s) with access privileges||Retention period||Reason for retention period|
|Prospective customer emails||To promote company services||Yes – requested annually||Sales; Marketing||12 months||To continue to promote company services unless customer opts out before retention period expires|
|Customer phone numbers||To provide customer support||Yes – requested annually||Customer Support||As long as the individual remains a customer or 6 months thereafter||To provide support to customer and to settle account if customer leaves|
|Employment contract data||Legal purposes||Yes – requested during onboarding||HR; Recruiting||5 years||Legal obligation|
|Unsuccessful candidate resumes||For assessing fit for open positions||Yes – requested during application||Recruiting||12 months||Likely to contact candidates for future positions|
|Employee salaries||Filing company tax returns; completing payroll||Yes – part of employment contract||HR; Finance||10 years||Legal obligation; Completing payroll|
There are many elements involved in the collection, access, and retention of personal data that all need to be considered in order to satisfy data privacy laws around the world. The right system is efficient and empowering. The wrong system is onerous, patchwork, and can ultimately lead to large punitive fines. Data minimization represents perhaps the most important differentiator between these two kinds of systems. If you’re looking to implement data minimization that’s painless and automatic for your business, check out Ethyca’s seamless compliance software.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team at Ethyca attended the PEPR 2022 Conference in Santa Monica live and virtually between June 23rd and 24th. We compiled three main takeaways after listening to so many great presentations about the current state of privacy engineering, and how the field will change in the future.
For privacy engineers to build privacy directly into the codebase, they need agreed-upon definitions for translating policy into code. Ethyca CEO Cillian unveils an open source system to standardize definitions for personal data living in the tech stack.
Masking data is an essential part of modern privacy engineering. We highlight a handful of masking strategies made possible with the Fides open-source platform, and we explain the difference between key terms: pseudonymization and anonymization.
The American Data Privacy and Protection Act is gaining attention as one of the most promising federal privacy bills in recent history. We highlight some of the key provisions with an emphasis on their relationship to privacy engineering.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Book a Demo