According to a recent survey published by the International Association of Privacy Professionals, some three-quarters of IT and infosecurity professionals ranked data minimization as the most important privacy functions in mitigating the risk of a data breach. This raises two important questions: what is data minimization and why does it help privacy and information security professionals?
Less is More
The definition of data minimization is relatively straightforward: only collect as much personal data as you really need, and only for as long as you have to. The EU Data Protection Directive crystallized why it matters to privacy professionals, “personal data is collected for specified, explicit and legitimate purposes” and must be “adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed”. Collecting and keeping personal data unnecessarily is a violation of a user’s privacy.
For information security, data minimization has other benefits for limiting the risk of data breach. Implementing a security and monitoring program is less daunting if you can keep the scope focused on a minimized data set. In basic terms, the fewer data that needs to be protected in fewer places, the better.
Knowledge is Power
Data minimization requires an ability to limit what gets collected, purge what’s redundant or unnecessary and filter what can get shared. While good privacy design and processes can reduce burdens upfront and simplify future efforts, there will always be a need to operationalize data investigation and minimization. However, most companies are ill-equipped to accurately inventory or minimize their customer data. They lack basic tools to catalogue their customer information, have no systematic way to calculate what should be eliminated or filtered and can’t easily locate the data elements that need elimination or filtering.
If privacy is to become more operationalized with the goal of improving the efficacy of customer data protection, organizations will need to find product centered approaches to minimize what customer data gets collected, retained and shared. This will require technology for effective identity data discovery, scoring, and access. For the global enterprise managing the privacy of customer information is no longer optional and best effort is no longer adequate. Simplified data minimization will increasingly be part of an effective privacy management strategy.