Reduce Privacy Risks with Data Minimization
Add bookmarkMany organizations are buckling under the weight of their data assets. Though data is increasingly becoming the lifeblood of strategic decision making, the more data a company collects, the larger an organization’s attack surface grows. In addition, many experts estimate that 80% of the information businesses and their employees is “ROT” (redundant, obsolete, trivial).
In order to avoid the hoarding of useless data and reduce the risk of data leakage, new and emerging privacy regulations such as GDPR encourage companies to only collect the data they need - a practice known as data minimization.
Beyond simply limiting the amount of data an organization collects, the goals of data minimization is to ensure that any personal data processed is:
- adequate – sufficient to properly fulfil your stated purpose.
- relevant – has a rational link to that purpose.
- limited - only necessary data is collected and stored.
- timely - data is periodically reviewed and, when necessary, responsibly deleted.
With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.
In addition to ensuring regulatory compliance and strengthening data protections, data minimizations also reduces the cost of storage, increases performance and, as it requires less computing power, can even put a dent in a company’s carbon footprint.
Data minimization is accomplished through sound governance and enabled through a variety of data management tools.
Data Governance
Determining what you need to collect and why (for what purpose) is fundamental to data minimization. In partnership with business units, the CDO and other enterprise stakeholders, a clear vision for data usage and standards must be established and widely disseminated.
The data governance framework should address:
Data Discovery
- define what personal data the organization has acquired and stored.
- locate where data is stored across the enterprise.
- build an inventory of who owns, is using or has access to the data.
Analysis
- define data purpose and required usage.
- determine whether the present purpose(s) comply with legal standards.
- identify any purposes not currently utilized which may be needed.
Preparation
- curtail access to users with invalid purposes for using the data.
- apply data protections (i.e. encryption or data masking) to data that the organization may use for further processing or which the organization can use without the use of sensitive elements.
- document and communicate all valid purposes for internal data usage/access.
Retention
- establish clear procedures to determine how and when to dispose of personal data.
AI & Data Cataloging Tools
In addition to narrowing data collection processes via governance, organizations can also leverage a number of solutions to help enhance data minimization efforts.
For example, AI-powered data cataloging and classification tools can automate the classification and organization of sensitive data, thereby automatically storing what is needed and eliminating what is not. Data discovery tools can scour enterprise systems to uncover hidden and potentially vulnerable data reserves. In addition, data retention and erasure software can be leveraged to automatically detect and delete data that is no longer viable for its intended purpose.