Data minimization is one of the most important practices your organization can follow to properly manage personal data – and comply with global privacy laws.
What is Data Minimization?
Simply put, data minimization is the reduction and removal of data that does not serve (or no longer serves) a useful or reasonable purpose. In its simplest form, ROT removal is a form of data minimization in that it literally removes content no longer “worthy” of being kept (by virtue of its age, duplication or lack of value).
However, although data minimization is not a new concept per se, it has found new life as one of the core tenets of data privacy regulations, notably the General Data Protection Regulation (GDPR) in the EU. And since GDPR is often pointed to as the blueprint for emerging privacy regulation in the United States and elsewhere, it’s important to understand the concept and its requirements.
True data minimization means having policies, practices, and assurances in place that no data is being kept longer than it needs to be, nor is it being used for purposes that were not originally intended or specified at the time of data acquisition or creation, and that data owners/originators have the ability to affect the gathering, use and disposal of their personal data.
How does Data Minimization relate to Information Governance?
Because data minimization affects multiple groups inside and outside of the organization, and explicitly refers to data management policies and practices, it falls squarely within the purview of information governance. Good information governance practices should include data minimization efforts as part of the overall objectives around security, sensitivity, data storage, privacy, records and more. As with many information governance topics, data minimization lands at a crossroads between Legal and IT responsibilities and is best served by a cross-functional information governance team.
As part of your information governance stance, your organization is likely a data controller, a data processor, or in some cases, both. A data controller should limit the collection of personal data to only what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfill that purpose. A data processor, who is acting at the direction of the data controller, should ensure that the data controller’s policies include requirements for data minimization, including auditing of the processor’s practices and performance.
How to accomplish Data Minimization?
As with many information governance tasks, in order to properly manage your data or content, you need to know what it actually is. With data, files and content all over your organization, this can be a daunting task. Luckily there is AutoClassification to help. To get started executing upon data minimization, you will need:
- A policy for how you manage data, including specific provisions for how you manage personal data collected in the normal course of business.
- A systematic means for identifying what information you have, where it lives, and how you will action it. This is where AutoClassification comes in.
- A program to routinely assess the state of your information, providing appropriate cleanup, safeguards, and reporting over time
- Proof of your compliance
