Data Minimization Means Collect and Retain the Minimum Data Possible
Data minimization posits that organizations should only collect the minimum amount of data necessary to accomplish their business purposes. Further, that data should be retained only as long as necessary or required by laws or regulations. From a privacy perspective, organizations must carefully analyze what personal data is collected on their customers, partners, and employees. If the specific personal data does not have demonstrable business use, then the data should not be collected and any collected data should be deleted.
Data minimization is instantiated in GDPR Articles 5, 25, 47 and 89. The
CCPA includes the concepts of collection limitation and minimization, while data minimization is also inferred in other regulations such as the Australian Privacy Act. The GDPR states the following on data minimization: “Personal data shall be:……adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).”
What are the key elements?
- Have detailed data classifications that define the data you hold.
- Collect and use only the data needed for the business purpose or service.
- Have clear policies on data retention and delete and/or archive data on a periodic basis.
- Conduct analysis of data sets to determine if the organization is holding duplicate and/or unused data.
What are the tools used?
- Administrative tools and features in database, cloud, and big data platforms.
- Custom scripts.
- Package software tools and solutions for data archiving and retirement.