What Is Data Minimization

Data minimization is collecting and processing the smallest possible amount of data needed to complete an operation. Collecting less data can help an organization in many ways

There’s a meme that says, “I don’t have a problem. I HAVE A COLLECTION!” while showing people surrounded by sneakers, or cats, or whatever “collection” it is they’re so obsessed with that they spend ridiculous amounts of time and money “curating” it.

The meme is usually funny because of the level of excess displayed. Everyone needs shoes, but nobody needs 125 pairs of brand-new Air Jordans that won’t ever get worn outside, right?   And don’t even mention the cat videos.

When trying to effectively analyze and manage the personal information an organization collects from its customers, they may have inadvertently turned into an example of this meme, the opposite of proper data management.

For almost as long as e-commerce has existed, companies have aggressively collected as much data about their users as possible, regardless of whether the information was usable.

This haphazard acquisition of sensitive consumer information went about as well as haphazard plans usually do, which is to say, not well.

After a seemingly endless stream of massive data breaches, increasing rates of identity theft, and the exposure of shady data management practices across virtually all social media platforms, consumer advocates were finally able to spur government action on digital privacy.

In 2016, the European Union’s General Data Protection Regulation (GDPR) became the world’s strictest comprehensive privacy legislation . . . but it was not the last.

Unlike many other governments, the U.S. didn’t pass a federal digital privacy law, choosing instead to leave the matter up to each state. Initially, California, Virginia, Colorado, and Utah put legislation on their books that gives consumers more rights in determining how their sensitive personal information is collected and used online. Several other states have proposed bills in committee. Each of these laws has unique requirements, and even the GDPR has been amended since becoming enforceable.

But because almost all these statutes apply to companies that operate and/or collect information from residents in each jurisdiction, and because it is now a global economy where cross-border transactions are a daily reality, most businesses are finding it more effective to base their privacy program on data management best practices.

And the foundation of data management best practices is data minimization.

What is data minimization?

Data minimization is precisely what it sounds like: collecting and processing the smallest possible amount of data needed to complete an operation. While it might seem counterintuitive, collecting less data can help in several ways:

• Lower risk of breach or data exposure
• Make it easier to establish and maintain compliance
• Cut costs for data maintenance, protection, and storage
• Improve the quality of data
• Future-proof marketing and privacy programs
• Reduce energy consumption and pollution

Basically, data minimization is the difference between being a data connoisseur and a data hoarder.

So, what does data minimization look like in practice?

According to most privacy laws and best practices, organizations have an obligation to disclose to users what kinds of information they’re collecting and what they’re doing with it before the collection happens. Any data you collect from customers must be adequate, relevant, and limited.

• Adequate: capable of achieving the stated purpose for use
• Relevant: distinctly linked to the stated purpose for use
• Limited: kept within clearly defined stated purposes

This means companies must:

1. Explain what types of data they’re collecting and justify why they need it in simple, jargon-free language
2. Explain how the data will be used and who it will be shared with in simple, jargon-free language
3. Refrain from collecting any information outside the stated scope

Data minimization in action

What does data minimization look like in a real-world scenario? Let’s look at how it plays out in standard email marketing.

Before laws like the GDPR were passed, it didn’t matter how these email addresses were obtained.  Customers might have voluntarily shared their private email, but it’s also likely that those emails could, without the individual’s knowledge or permission, have been mined from shipping records, purchased from an unrelated company, or shared from a partner business.  All these former practices are now considered inappropriate ways to collect personal data.  Collecting personally identifiable data directly from the consumer is the safe approach, as is collecting only what is needed to perform specific operations.

Data minimization and special data categories

International data privacy law increasingly recognizes that some types of data are more valuable than others. As a result, specific protections for special categories of sensitive data have arisen, including birthdate, social security number, race, medical history, political or religious affiliation, sexual orientation, union membership, precise location, or biometric information.

Minimizing data collection processes helps ensure inadvertently harvesting sensitive personal information.  Collecting this data can expose the organization to the risk of both non-compliance and data breaches.

Data inventories keep the clutter at bay

One of the best ways to start minimizing data collection is to complete a data inventory (also known as data mapping).

A data inventory involves following the path a customer’s information follows from collection to deletion. It will show what is collected and why, who has access to it, how long and where it’s stored, where it’s at risk of exposure, and where privacy program practices deviate from the stated parameters in the privacy policy.

Almost every company that completes a data inventory is surprised by the amount of bad or unnecessary data they’re collecting and how many vulnerabilities their data is exposed to. If an organization has not done a data inventory in the last six months, it should do it now.  Without a data inventory, the organization is one step closer to hoarder status.

Becoming a reputable collector

Tom Hanks is best known for his Oscar-winning roles in Forrest Gump and Philadelphia (or, if you’re a Pixar fan, as Woody, the rootinest, tootinest cowboy in the Wild, Wild, West). But he’s also a renowned collector of typewriters.  Since purchasing his first typewriter at age 19, Hanks has collected hundreds of typewriters. At one point he had over 250 “office pianos,” and his current collection stands at about 120 machines.

The difference between Hanks (a collector) and the back storeroom of an ancient appliance repair shop (a hoarder) is that more than 90% of Hanks’ collection is functional and he knows the model/type/manufacturer of each and every one. He specifically chose them for the value they added to his collection.

When it comes to data, be like Tom Hanks.

Conclusion

Know what information makes data valuable and be selective about gathering it. Understand where information comes from, ensure it is defined accurately, keep it updated, and protect it appropriately.

Following these simple steps are part of basic data management best practices.  They will help to ensure that the collected data becomes a powerful repository of information that can power the organization to the next level of effective operations and decisions.