Data Minimization—A Practical Approach

Mohammed Khan
Author: Mohammed Khan, CISA, CRISC, CDPSE, CIPM, Six Sigma Certified Green Belt
Date Published: 29 March 2021

The amount of data collected across enterprises has exponentially increased over the years—and it continues to grow. One of the basic principles to account for is data minimization, which is rightly highlighted in the EU General Data Protection Regulation (GDPR), stating that “Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization).”1

Enterprises may only collect as much data as are necessary for the purposes defined at the time of collection, which may also be set out in a privacy notice (sometimes referred to as a privacy statement, a fair processing statement or a privacy policy). It is important to note that collecting any data in excess of what are necessary for these purposes is not permitted.

Best Practices

One may then ask, how can an enterprise ensure that it does not collect more data than it is supposed to? To prevent excessive data collection, common best practices should be followed:

  • Define the purpose of the data as explicitly as possible. Everyone involved, including data subjects and members of the enterprise, should be able to easily understand the purpose and use of the data.
  • Specify and define the processing of the data, which is specific to how data will be used. Any clarification from the enterprise should be properly acknowledged and discussed in a timely manner.
  • Evaluate methodologies of data collection minimization by designing and implementing processes that require the least personal data or that only require anonymized data.
  • Whenever data input is required from users, limit the available input options by use of checkboxes rather freeform text.
  • Use automated processes, such as machine learning and artificial intelligence (AI), to eliminate data that are no longer required before fully ingesting the data into the enterprise’s systems.

Enterprise Benefits of Data Minimization

There are several benefits of data minimization, including the following:2

  • Essential principle of data protection—This is required by data regulations and includes lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, security and accountability.
  • Reduced ecological footprint—Less data means less computing power and a physical hard trail of paperwork.
  • Adherence to EU GDPR compliance—This is now a very universal approach to many major privacy regulatory bodies across the globe.
  • Reduction of data storage cost—Although data storage is getting cheaper, it still adds to the computing cost of enterprises.
  • Increased performance—Less data means more processing in a shorter time for business-critical processes.

Enforcement of Data Minimization

Regulatory enforcement over data minimization is increasing. In one example, the US Federal Trade Commission (FTC) cited a major enterprise with failure to delete information no longer needed and, as a result, failure to implement reasonable protection.3 Another enterprise was fined EU €14.5 million for failing to get rid of old files.4 These types of enforcements further prove that it is better to collect less data from the onset and have a proper governance and data management mechanism in place to eliminate data when it is not entirely required for the purpose of conducting business.

…[I]t is better to collect less data from the onset and have a proper governance and data management mechanism in place to eliminate data when it is not entirely required for the purpose of conducting business.

Conclusion

Collecting data is easy but becoming the rightful custodian of that data is challenging. It is essential to have proper processes and controls in place to collect the minimum amount of data for the purpose of conducting business, protect the data and, upon completion of data usage, ensure proper mechanisms to discard the data in the rightful manner and minimize the enterprise’s data collection footprint.

Author’s Note

The views, opinions and positions expressed within this article are those of the author alone and do not represent those of the company for which he works. The author’s company does not make any representations as to the accuracy, completeness and validity of any statements made in this article and will not be liable for any errors, omissions or representations.

Endnotes

1 De la Torre, L. F.; “What Is ‘Data Minimization’ Under EU Data Protection Law?Medium, 22 January 2019
2 Dataguise, “Minimize Your Organization’s Personal Data Footprint to Reduce Compliance and Security Risks
3 Federal Trade Commission (FTC), “Utah Company Settles FTC Allegations it Failed to Safeguard Consumer Data,” USA, 12 November 2019
4 Gesser, A.; M. Kelly; W. Schildknecht; V. Jungkind; C. Raspé; “A 14.5 Million Euro Fine for Failing to Get Rid of Old Files—Data Minimization Is Becoming a Stand-Alone Cybersecurity Obligation,” New York University School of Law Program on Corporate Compliance and Enforcement, 6 December 2019

Mohammed Khan, CISA, CRISC, CDPSE, CIPM, Six Sigma Certified Green Belt

Is the global head of digital health, IT, cyber and privacy audit at a global medical device and healthcare organization. He manages a global team responsible for enterprise risk management across the organization and conducting audits, assessments and advisory engagements. He has spearheaded multinational global audits and assessments in several areas, including enterprise resource planning systems, global data centers, cloud platforms, third-party manufacturing and outsourcing reviews, process re-engineering and improvement, global privacy assessments and FDA guidance specific to medical device cyber. He previously worked as an advisory consultant for leading consulting firms and multinational organizations. Khan frequently speaks at national and international conferences on topics related to data privacy, cybersecurity and risk advisory. He volunteers as an ISACA® Journal peer reviewer and contributes actively to the ISACA Journal and blogs. He also serves on the Digital Healthcare Committee for ISACA®, recommending industry leading thought leadership and guidance. He is a recipient of the ISACA John W. Lainhart IV Global Award for recognition of his major contributions to the development and enhancement of the common body of knowledge used by the ISACA organization and its members.