Challenges with Data Minimization: How can Meru help?
In our last article, we talked about why Data minimization should be an integral part of an organization's privacy program. However, implementing data minimization would be considered challenging to achieve. Minimizing data can also be perceived as hindering data monetization efforts. However, implementing data minimization will improve the quality and accuracy of data, helps analytics, and goes a long way in establishing trust with customers.
Data minimization is not only about privacy, but it is about implementing efficient data management practices. The need for efficiency in managing organizational data has become increasingly important and is a necessity for maintaining a competitive advantage.
Data minimization requires good planning, connecting the dots, and working collaboratively with all relevant stakeholders across the organization. Investments in the right technology will help with scalability and implementation. The focus is always on the technology for execution. Taking a data-driven approach to planning and implementation will make data minimization simpler and effective.
Meru can help in three ways:
1. Building a detailed DataMap that can make data minimization an easy and scalable process:
A DataMap can help you identify what data exists within the organization, how it is used, and by whom. The identification can be at a system or process level.
Once the data is identified, proper classification of the data in the DataMap will help organizations understand what is important, sensitive, and confidential, thereby improving overall security. It is also important to understand if the data maintained in a system is as a system of record or just a duplicate copy of the data.
AI-powered data cataloging and classification tools can automate the classification and organization of data within the DataMap. Identification and classification will also help to define the purpose and understand the usage of this data. Our classification algorithm already has prior context for the data and can use these data points to more accurately identifying personal and other sensitive information.
Data can be classified in many ways to facilitate different use cases for decision making:
− What data is created (contracts, shareholder minutes, customer feedback, etc.)
− How it is classified (Biometric data, confidential, personal information, etc.)
− Where it is stored
− How it travels within and outside the organization (cross border transfers, service providers, etc.)
− Who has access to the data
A typical DataMap captures many attributes as illustrated in the picture above. The overall system-level attributes, privacy-centric attributes, and record retention attributes are most critical for the data minimization program.
2. Mapping the records retention schedule to the DataMap to develop a comprehensive plan:
Determining how long to keep the data requires a better understanding of a company's data, how that data is classified (if it includes personal information), how that data is used in the business, and any laws applicable to its retention.
While the DataMap provides some of these details, the data retention policy and the retention schedule document the corporate policy and the legal requirements for retaining the data.
The retention schedule along with the retention policy provides guidance on when a particular type of data must be deleted. Both the policy and the schedule should reflect the types of data the company has and the laws applicable to its retention. Meru can help develop and maintain the retention schedule based on these needs.
Over the past few years, a number of organizations have taken the time and effort to update their retention schedule to make sure it is up to date and may also be updating their retention schedule regularly. The retention schedule, however, also needs to be implemented. Meru can also help operationalize this retention schedule and implement a data minimization program within the organization. This requires-
1) Mapping the records retention schedule to the data sources in the DataMap.
2) Identifying and reconciling gaps in the retention schedule3) Matching up the legal and business requirements at a granular level.
4) Developing a plan for the deletion of data.
One of the biggest challenges with Data minimization is the inability to make the decision of deletion. Decisions are tough when you do not have enough information and deletion often requires the collaboration and approval of various stakeholders within the organization. Not a very easy task.
Detailed mapping will help develop a plan that can be actioned upon. This plan and the data-driven metrics that go with it can bring alignment to stakeholders making it easy to pull the trigger for deletion when required.
3. Deletion: When dealing with large data troves, it is impossible to execute tasks like minimization without automation. Automated deletion, both proactively and to meet DSAR requests, can save valuable man-hours and resources for the organization.
Meru Data provides holistic solutions for classifying this data and managing deletion. Our automated data mapping and continuous rule-based monitoring tools create an actionable set of plans from the inventory and the retention schedules. Meru can help take a data-centric approach to decision-making by providing the right information at the right time. This can drive consensus and alignment amongst stakeholders in implementing the deletion.
There are several methods for deleting the data and they vary in ineffectiveness. The best method for data deletion can be determined based on the type and nature of the data and the risks associated with its exposure. Meru can help identify the appropriate method of deletion using a risk-based approach. We can perform the deletion, set up metrics to verify deletion, and also help manage/monitor the deletion at the enterprise level.
Most technologies in the market focus on just classification and deletion but in actuality, mapping the records retention schedule to the DataMap is the most important part. This step is often left as a manual analysis to be performed by the team. However, most teams find it hard to analyze, reconcile and develop an action plan as there is too much data and it can be complex. Technology can greatly enhance and add value to the mapping process.
Most organizations jump to deletion without building an accurate DataMap and performing detailed mapping and planning, and this makes deletion impossible. Deletion can’t be carried out without first having a comprehensive DataMap and a solid retention plan. An exhaustive DataMap can provide guidance on what aspects to consider for your retention policy and schedule. The more you know about the existing data, the easier it will be to prepare an accurate policy around it. Skipping these steps will manufacture a deletion strategy that may not be implementable and efficient in the long run.