Why data minimization is always a good idea

Why data minimization is always a good idea

 ant carrying a leaf


Until a few years ago, the concept of data minimization was all but unheard of in business technology circles. With more sources of data available than at any point in history — not to mention data storage being cheap and readily available — companies had little reason in the recent past to curb their appetites for the personal data that zoomed in and out of their systems. “Big data” became the buzzword du jour, gurus proclaimed data “the new oil,” and businesses responded by hoarding as much as their servers or cloud systems could hold.


Then along came GDPR, and suddenly those massive data lakes became a potential liability. Businesses faced obligations such as producing reports of processing activities (ROPAs) and honoring data subjects’ rights to access and deletion — plus a specific requirement that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)” (GDPR Article 5(1)(c)). Shortly thereafter came CCPA, which, while not specifically requiring data minimization, imposes obligations that are far easier to manage when an organization is not swimming in superfluous personal data.



Sign Up for Data Privacy Newsletter



The ROI of data privacy

According to a recent survey by Cisco, businesses that have implemented data privacy principles are seeing substantial benefits beyond the compliance factor. Most of the organizations surveyed reported very positive returns on their data privacy investments, with an average of $2.70 in benefit for every dollar spent. More than 70 percent affirmed they are seeing benefits in the areas of competitive advantage, organizational agility, and improved attractiveness to investors.


The 3 principles of data minimization

Data minimization comes down to three simple principles:

  • • Collect as little data as necessary (after making sure you have the right to collect it).
  • • Grant access to as few people as possible.
  • • Only hold it for as long as you need it.

For many organizations, this approach marks a radical shift from their traditional data practices. The good news is that, even if GDPR doesn’t apply to your organization, practicing data minimization can deliver a host of benefits. Here are just a few:


Benefit #1: Reduced exposure to data theft

The average data breach involves more than 25,000 records, and the cost per breached record in the United States is about $242 — in the healthcare industry, the cost runs as high as $429 per record. Several major fines have been proposed under GDPR for data breaches (including fines of $99 million against Marriott and $230 million against British Airways), and CCPA grants a private right of action to consumers affected by breaches, with damages ranging from $100–$750 per consumer per incident.


When you limit the amount of personal data you collect, the number of people who can access it, and the length of time you hang on to it, you create a smaller data footprint that needs to be secured. And should a breach occur, data minimization practices enable you to limit the number of records that could be compromised.


Benefit #2: Efficient data management

Think of your organization’s data systems as a house: in a hoarding situation, when the house is packed to the rafters with things you don’t need (or things that have outlived their usefulness), it’s much harder to find the things you do need when you need them.


Knowledge workers already spend a large portion of their days searching for information, and the sum of the world’s data is growing at a rate of 61 percent year-over-year. When there’s less data in your systems, it’s easier to manage and to make available to team members who need it, when they need it. Additionally, if you’re discarding data when it becomes obsolete, employees can be confident that the data they retrieve is current and accurate.


Benefit #3: Prompt responses to data subject requests (DSRs)

Both GDPR and CCPA grant individuals specific rights to request access to and deletion of their personal data (among other rights), and businesses are obliged to respond within a reasonable time frame (one month under GDPR, 45 days under CCPA).


When an organization is swimming in data — some of which may be obsolete — responding to data subject requests within the required time frame could be problematic. If you limit the data you gather on individuals starting with the first point of contact, you will have less information to track down when those requests do come in.


Benefit #4: Improved customer trust

In a recent survey, 84 percent of consumers said they have refused to engage with a business because it demanded too much of their personal information. When customers know that you only gather as much personal data as is necessary to conduct business — and take concrete steps to ensure the data is handled responsibly — they are more likely to place their trust in your brand and to keep coming back.


Benefit #5: Readiness for future regulations

With two major pieces of data privacy legislation in force and more on the way — including a possible U.S. federal law — nearly every organization is likely to be subject to one or more privacy laws in the near future. Even if no current data privacy regulations apply to you, implementing data minimization practices helps you prepare the organization for the need to align with future laws that require your attention.


Regardless of which – if any – data privacy laws currently apply to your organization, the days of collecting as much data as possible and hanging onto it ad infinitum, “just in case,” are over. Companies that practice data minimization are better prepared to address the demands of today’s business environment, where, when it comes to personal data, “less is more.”





Need help with data privacy compliance?


See how Logic20/20 can help.






Jill Reber, General Manager of Data Privacy at Logic20/20, is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by Information Management, American Banker, International In-House Counsel Journal, and other national and international organizations.


Follow Jill on LinkedIn


New U.S. and international privacy laws are in effect. Do they apply to your business?

Find out