OneDPO

What is Data Minimization? Why Is It Important?

For the first decade of the 21st century, businesses and governments could believe that data was the new oil – that those companies and organizations with access to the most data and the best ways of making sense of it would inevitably rise to the top and succeed. 

In reality, it hasn’t worked out that way.

As many organizations are now becoming aware, data can be as much a liability as an asset. Whether it’s data breaches, leaks, inadvertently exposed data, or any of the other common information security nightmares, data is at the root of recent public disasters for companies such as Capital One, Yahoo, Starwood, and more. 

In the span of a few short years, data has gone from an unquestioned asset to a more uncertain category: sometimes an asset, sometimes a liability. 

That’s where data minimization comes in: it removes the data liabilities your firm has, letting you focus your energies on maximizing the value of your data assets.

Data minimization works on a simple principle: the less data you have, the less harm your data can do to you. Therefore, data minimization is a core component of any successful data protection program, along with maintaining a complete inventory of your data assets, risk-ranked lists of which data assets to prioritize, and standard operating procedures for data protection operations. 

By minimizing your attack surface, you’ll be able to defend better the data you do have. This eBook serves as an introduction to what data minimization is, how it can benefit your business, and why you should consider going with OneDPO as your trusted data protection provider.

What is Data Minimization?

Data minimization is exactly what it sounds like: you want to minimize the total amount of data your business has. The trick, of course, is knowing what data to get rid of and why.

When considering which data assets are worth preserving and which should be discarded, there are several core considerations at hand:

The first and easiest type of data to remove is expired data. Examples of this type of data include records seven years or older, customer data where the customer has been inactive for several months or years, operational data from older versions of your software or processes, and other similarly “stale” data.

While many times when trying to remove data, the initial impulse is to hold on to it “just in case,” it becomes useful down the line. Activity logs, which keep records of the most recent activities on a given piece of data, become invaluable: by clearly demonstrating how often data is used and when it was last used, you’ll be able to discern better which data is worth preserving and which should be dumped.

As a rule of thumb, we encourage clients to consider any data which has not been used in the past year to be guilty until proven innocent and any data not used in the past quarter to be suspicious. Of course, each company’s situation is unique, but in general, if no one in your firm has touched a piece of data in the past year, there’s probably a good reason for it, and the data should be removed unless absolutely necessary.

However, a complete deletion of your data assets may not always be advisable – in particular, many types of data (such as customer agreements, vendor contracts, and legal communications) must be retained for seven years (Duration depends on industry and geography) after creation in the event of legal action or a similar undertaking.

In these cases, we still recommend the data be minimized, but through a different approach: records should be retained in a compressed, offsite storage archive. This way, your firm still has access to the data should the need arise, but the data is hosted in cold storage and therefore minimized from the internal perspective of data security and privacy.

Why Data Minimization Matters

Numerous businesses – maybe even yours – have spent the past decades believing the hype that “data = success” in the modern tech-driven economy. While it’s true that informed and judicious use of the right data at the right time can drive significant benefits to your business, not all data is created equal, and knowing what to keep and what to junk is crucial.

The benefits of data minimization are several and varied:

–       Reduced Risk from your data 

–       Ease of Use in mobilizing your data 

–       Lower Costs for managing your data

These benefits are spread across multiple functional units within your organization. For example, data engineering will find it easier to conduct regular business activities with fewer data assets and lower operational costs. Your security team will appreciate the reduced risk profile that comes from minimizing your data. And your privacy team will definitely be in favor of a lessened regulatory compliance burden and a greatly decreased risk of privacy violations.

The benefits accruing to your firm as a result of data minimization will vary, of course, but over the course of many client engagements, we’ve found several recurring situations where data minimization is called for. Whether it’s a high-growth firm looking to take stock of their position after several intense quarters, or a recently acquired firm needing to integrate with the new parent company, here are our most common use cases for data minimization and their benefits:

The Paradox of Growth

It’s a neat paradox faced by high-growth firms that with each new rapid increase in market share and profitability, the problems don’t seem to stop but keep growing in pace with the company’s growth. Many of our high-growth companies rapidly increase their data footprint and experience unique challenges that come from an expanded threat environment and sudden increases in the value of their data assets.

For these situations, we encourage a proactive approach towards data minimization: if your company is experiencing considerable revenue or valuation growth, or if you even anticipate such growth, the best time to address your potential data risks is before they become a problem. An ounce of prevention is worth a pound of cure, and by addressing your data risks proactively, you’ll be able to focus on your core competencies of driving further growth for your firm.

Mergers & Acquisitions

Whether it’s part of the pre-M&A due diligence process or the post-M&A systems integration, conducting a data minimization program is always recommended for any significant mergers or acquisitions your company does. Especially for data-intensive industries such as financial services, online services, healthcare, and other data-driven industries, data minimization should be a core component of any M&A activity: it directly impacts the bottom line of these transactions.

In handling data minimization programs for M&A deals, we recommend including data models for both parties of the transaction – after all, the resulting firm is meant to operate as one entity, so it just makes sense to build that desired result into the process from the beginning. This can hold true for other types of corporate actions, especially when raising equity capital, and data minimization should be a core part of similar capital markets endeavors.

Digital Transformations

Lastly, a data minimization program must be part of any digital transformation efforts. For many institutions and established firms, digital transformation projects will be an ongoing domain for many years to come, and the opportunity created by them to radically transform the efficiency and effectiveness of your business operations is a great chance to improve your data protection efforts simultaneously.

Digital transformation efforts are historically where our holistic approach has shined brightest. Our platform specializes in getting to the “Why?” behind the data: why is this data important or useful? Why do we care about using this data in the right way? Digital transformation efforts represent a great opportunity for your business to ask these questions and to take the appropriate actions if no good use for your data can be found.

Benefits of Data Minimization

In addition to customer data protection, the following are some of the benefits companies realize by the minimization of data. 

  • Reduced Cost of Data Storage

Data storage costs money. The less it is, the less it costs to the benefit of the organization. With this in mind, it is advisable that companies only collect relevant data and store it for the duration of its usefulness.

  • Efficient Data Management

Data storage and retrieval are more manageable when there is less of it. It takes less time and creates confidence that the retrieved data is current and appropriate. When requests are sent out, data managers are sure to respond quickly.

  • Improved Customer Participation

Most customers are responsive to less personal questions and would only give their data to companies that assure them that their private information will not be stored in their servers.

  • Compliance with European Union Data Protection Act

This Act requires that businesses hold information about EU citizens to apply data minimization policies to protect such citizens.