Keeping Only What is Necessary
Data Minimization is the practice of limiting the amount of data that is stored, to reduce risk and cost while complying with laws and regulations. For data privacy purposes, it refers to retaining only the data necessary to accomplish the purpose for which it was collected. It is both a preventative and corrective practice designed to avoid accumulating unnecessary data that burdens an organization’s storage capacity and data management processes and increases the risks and impacts of potential legal liabilities and cybercrime.
Realizing Multiple Benefits
Data Minimization is a core principle driving cost-saving and risk-reduction opportunities of your stored data. This vital business function provides multiple benefits in cost savings, operational efficiency, and risk management.
All information that exists in storage is discoverable whether demanded through legal proceedings or stolen in a cybercrime. Data that is no longer useful for business purposes often carries risk that outweighs any benefit the information could have now or in the future. The concept of “data minimization” is gaining traction with U.S. lawmakers and regulators, and these risks and resulting penalties are very real.
For example, in June 2022 the FTC brought an enforcement action against online retailer CafePress, alleging: failure to protect consumers’ personal data; retaining information longer than necessary, without a business need; and covering up a major data breach. The FTC has also included Data Minimization in its recent proposed rulemaking on data privacy, and the NYS Department of Financial Services’ recent settlement with EyeMed requires the company to implement Data Minimization.
Reducing Costs and Inefficiencies
Retaining information that is no longer needed is inefficient. There is more to churn through during daily operations or discovery activities. This increases search time, which raises costs. For data storage, more companies today are using cloud-based solutions; the global market is expected to record 23% growth annually until 2026. It is estimated that storing 1 Petabyte (1,000 Terabytes) of data costs over $1.0 million for five years; at least one-third of this cost includes storage-related operations, data transfer, network activity, data backup, data security, and data management. Storage costs for physical records also build over time, potentially amounting to millions of dollars spent annually preserving information that is likely “ROT” (redundant, obsolete and/or trivial data).
Making Smart Decisions
What data should be retained? And what data can – and should – be deleted without compromising your compliance with applicable laws, regulations, and related potential tax/legal holds? Data-related regulations are proliferating across the U.S. and worldwide. Regulations depend on the jurisdiction and type of data, such as Personal Identifiable Information (PII), Protected Health Information (PHI), and Nonpublic Personal Information (financial) records. As a first step towards Data Minimization, an assessment of a company’s data environments examines the landscape and potential impact of the presence of personal, sensitive, and similar data, enabling the organization to determine a risk-based approach to implementing Data Minimization.
Companies must remain compliant with external requirements and internal employee practice. Bernstein Data can walk you through this process, helping you establish the requisite policies and procedures, including training. During a recent pilot exercise with a company of 30,000 employees, we estimated that nearly 30% of network file storage data could be deleted without negative consequences. This was data that had been sitting in digital storage for years, sometimes decades, along with data no longer necessary for legal/tax requirements and/or company operations. Unsurprisingly, most of this data fell under the heading of ROT. An efficient review procedure was established and senior management decided to delete it.
To address all these factors, Bernstein Data develops enterprise-wide governance, processes, and tools – including Retention Schedules and policies for defensible disposal and records retention – that can help your organization maintain resilient and reasonable Data Minimization practices.
"*" indicates required fields