How To Implement A Data Minimization Strategy

Processing user data can yield huge value, but it’s also is a huge responsibility. Data minimization is one of the most important principles your business can follow to respect user data – and comply with global privacy laws. Follow along to see the basics of how to implement minimization in your data operations.

What is Data Minimization?

Data minimization is a principle enshrined by General Data Protection Regulation (GDPR) and Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) that requires organizations to limit the amount and type of personally identifiable information that they process to the minimum of what is necessary to achieve their purposes. It’s also a principle set to become enshrined in US privacy law too; the CPRA, or “CCPA 2.0”, contains directives relating to data minimization, to be voted on in November 2020.

Data minimization means that a company must limit the personal data that it collects, stores and uses to only include data that is relevant, adequate and absolutely necessary for carrying out the relevant business purpose. They should also, therefore, ensure that data is erased from their systems once it is no longer deemed necessary.

These principles are straightforward to understand, but they can be challenging to implement in large organizations with complex technical infrastructure. In this article, we’ll show how to implement basic data minimization processes for any size of team. First, though, we’ll show you why it matters.

Before considering how your organization can address the principle of data minimization, you should make sure that you have a clear understanding of your existing data infrastructure. You can find out more about mapping the state and flow of this data in our guide to building a company data map.

Implementing a Data Minimization Strategy

In order to comply with existing data privacy law and respect the principle of data minimization, there are two key steps that your organization should undertake.

Step One: Assess minimization processes throughout the data lifecycle

First, critically assess how your company currently collects, retains and manages access to personally identifiable information. Here are the questions you need to ask:

Collection

Is your organization taking a “collect everything and decide what to do with it later” approach, or is it using a planned process to manage the data that it captures and stores? 

Every piece of data that a company collects should be referenced in your data map along with the specific business purpose for collecting it. This ensures that the principle of data minimization is continually adhered to, and that an auditable log exists for compliance purposes. For example, any time your marketing or sales team begins collecting new personally identifiable information from a campaign that they’re running, you should make sure that it is logged in your organization’s data map along with the specific purpose for which it will be used. 

In practice, this should be codified in two places: your company’s Privacy Policy and any Data Processing Agreement (DPA) with third-party vendors. In each, you should note that personal data should only be collected so long as it is necessary to achieve a specified purpose. The data collected must be relevant to this purpose and limited to what is required for the specific purpose. In short, if data is not needed to achieve your organization’s goals, you shouldn’t collect it, and that should be stated explicitly in company policy.

Access

Who has access to the data that your organization collects? 

As part of your data map, you should have a record of the different types of data that your company collects and processes, along with the individuals or teams that have access to that data. You should also include a record with justification for the individual or team having access to it. For example, the finance person responsible for payroll will need access to employee salary data. The entire finance team does not need access unless it is necessary for them to fulfill their individual duties.

Is there a system in place for making sure that only individuals with a legitimate business interest can access personally identifiable information?

Once you have an overview of the personal data that your company processes and the individuals or teams that should have access to it, you will then need to make sure that you have a system in place to manage access privileges on an ongoing basis. In reality, people often move teams or their role changes within an organization. There will be shared platforms teammates use to collaborate which can inadvertently become a point of data seepage.

You’ll need to implement a solution that enables the secure management of data access privileges across your organization. Such a solution enables data access to be limited so that only specific applications or specific individuals have access to specific fields of data required for a specific business process. This system should also inform the person managing access privileges as to whether or not the user has provided consent for their personal data to be used for a defined business purpose. This ensures that the user’s privacy and personal rights are kept top of mind for all business operations.

Step Two: Create a Data Retention Schedule for your Business

Does your organization have the systems in place to carry out routine purges of data?

Indefinitely retaining every piece of data that your company collects is both inefficient and contrary to the principles of data minimization. Instead, your organization should periodically review the data that it processes and erase anything that is no longer necessary to fulfill the purpose that it was originally collected for. You should only retain personally identifiable information if it is required to fulfill a pre-specified purpose and should not retain data on the off-chance that it might be useful in the future unless it is reasonably justifiable. For example, you may collect information on potential candidates for an interview process but once candidates are removed from the process, their data should be deleted. 

Your company should have a procedure in place to regularly review the data it retains. It should set a data retention schedule, i.e. a period of time for which it will store each data type that it processes, as part of its data map and erase any data when it is no longer deemed necessary. You should also consider implementing an automated solution that deletes certain data at predefined periods so as to make this process less onerous and much more efficient.

Below, you can find an example retention schedule covering key components of how a business should think about retaining (or not) user PII

Data Type	Reason for processing	Explicit permission to process	Team(s) with access privileges	Retention period	Reason for retention period
Prospective customer emails	To promote company services	Yes – requested annually	Sales; Marketing	12 months	To continue to promote company services unless customer opts out before retention period expires
Customer phone numbers	To provide customer support	Yes – requested annually	Customer Support	As long as the individual remains a customer or 6 months thereafter	To provide support to customer and to settle account if customer leaves
Employment contract data	Legal purposes	Yes – requested during onboarding	HR; Recruiting	5 years	Legal obligation
Unsuccessful candidate resumes	For assessing fit for open positions	Yes – requested during application	Recruiting	12 months	Likely to contact candidates for future positions
Employee salaries	Filing company tax returns; completing payroll	Yes – part of employment contract	HR; Finance	10 years	Legal obligation; Completing payroll

Conclusion: The High Value of Data Minimization

There are many elements involved in the collection, access, and retention of personal data that all need to be considered in order to satisfy data privacy laws around the world. The right system is efficient and empowering. The wrong system is onerous, patchwork, and can ultimately lead to large punitive fines. Data minimization represents perhaps the most important differentiator between these two kinds of systems. If you’re looking to implement data minimization that’s painless and automatic for your business, check out Ethyca’s seamless compliance software.