Data Minimization: Are you doing it right?
A few years ago, businesses were collecting more information than they needed in the hopes of it being useful in the future. The phrase “data is the new oil” was taken quite literally—organizations started accumulating all the data they could and for as long as possible.
As storage costs kept decreasing, many organizations did not make an active effort to delete unwanted data. It was likely driven by the assumption that the stored data could be of some use soon. This has resulted in large quantities of unwanted data accumulating in organizations.
Lately, organizations and regulators have been identifying the risks associated with the collection and storage of too much information. The concept of data minimization became more prominent after it was introduced as one of the fundamental principles under the General Data Protection Regulation (GDPR).
What is data minimization?
Data minimization is the practice of limiting the collection of personal information to what is needed for the intended purpose.
Article 5(1)(c) of the GDPR states, “personal data shall be adequate, relevant and limited to what is necessary for relation to the purposes for which they are processed (data minimization).”
Though not mandated under the California Consumer Privacy Act (CCPA), data minimization is a requirement under the California Privacy Rights Act (CPRA). Embracing data minimization will save time, money and reduce risks for the organizations. Excessive data not only makes them vulnerable to privacy breaches but also makes it difficult to store and manage data. Organizations could also land in regulatory trouble for not complying with the laws governing the collection and storage of data.
In 2019, the electronic payment company UAB Mister Tango was penalized by the Lithuanian State Data Protection Inspectorate (VDAI) for collecting excessive data and storing it longer than necessary. The case marked the first administrative fine in Lithuania for violation of GDPR, emphasizing the fact t