Panelists Offer Tips for Effective Data Minimization
Data minimization is an evolving regulatory landscape that is garnering increased awareness lately as trust and transparency become more of a focus for organizations and data breaches highlight the impact of having extra data, said panelists during a webinar hosted by compliance vendor TrustArc on Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
No matter if an organization is covered by the GDPR, California Consumer Protection Act (CCPA) or another framework, each one “falls under the umbrella of privacy by design,” said Janalyn Schreiber, senior privacy consultant at TrustArc. “Underpinning [data] minimization is the idea that comes with it, which is purpose limitation and being able to potentially slim down some of our storage, eliminate legacy systems.”
Martin Macke, global privacy director at employment agency company ManpowerGroup, said post-GDPR privacy laws have similar principles and consequences. These modern privacy laws, as he calls them, “are never the same, but [from] a principle perspective … those principles are pretty much applicable across the globe.”
There must be a connection between data gathered from a person to the "business goal of the organization,” Macke said. “If that doesn't exist," don't collect the data, he added.
“That essentially means we need to understand why we process data, why we collect it, [and] delete it when it's not any longer required based on legal or business data retention schedules, or a combination of both,” he said.
Schreiber added that the law shouldn’t be the only thing compelling companies to limit data collection. “We have a regulatory obligation," but it's also good business, she noted. Also, the speakers stressed the importance of ensuring data is actually deleted once it’s no longer needed.
To start a data minimization exercise, a company must conduct a thorough inventory, which the speakers said is more complex than it sounds. For example, all parts of the company must be covered. It's not enough to delete data in one system, Macke said. "Ensure it’s deleted in the upstream and downstream system all the way through.”
Transparency can help. For instance, listing retention periods for storing data in a privacy policy is low-hanging fruit that everyone can see, said Schreiber.
Macke said data gathering and deletion is "really a cultural topic." Humans are "hunters and gatherers, so we collect things … it's our nature,” he said. “Maybe we just keep [data] because we might need it 20 years later,” and it's hard “to change that culture in our organizations.”