Data Minimization; Why Bigger is Not Always Better

Data Minimization; Why Bigger is Not Always Better

An interesting position was previously divulged by the Federal Trade Commissioner of the United States when it comes to data collection. Rebbecca Slaughter proposed to ditch the outdated notice-and consent model to govern questions surrounding personal data. For her, the focus should be on indiscriminate collection of data to fuel business models such as behavioral advertising.

At the forefront of her contention is the need for companies to collect as little personal information as possible.

“Rather than focusing on opt-in versus opt-out, and whether privacy policies are clear enough, I believe we should be discussing the concept of data minimization,” Slaughter said.

https://www.mediapost.com/publications/article/365443/ftcs-slaughter-suggests-agency-will-scrutinize-be.html

What is data minimization

Data minimization refers to the practice of limiting the collection of personal information to that which is directly relevant and necessary to accomplish a specified purpose.

When an organization adapts such practice, any data processing will only use the least amount of data necessary. Likewise, the volume of collected information from private individuals are outrightly reduced. Further, the duration of the record retention is essentially shortened for reasons that will be discussed later.

Also Read: Got A Notice of Data Breach? Don’t Panic!

Legal basis of the principle

Data minimization was ushered years ago at the inception of the Data Protection Act wherein businesses holding data about any European Union citizen are mandated to practice funneled data collection.

Under the General Data Protection Regulation (GDPR), the concept of data minimization revolves around data that is:

• Adequate
• Relevant
• Limited to what is necessary for the purposes for which they are processed

This principle is specifically provided for under Article 5 (c) of the GDPR Principles Relating to Processing of Personal Data. And while there may be key differences between GDPR and the Personal Data Protection Act (PDPA) of Singapore, data minimization is likewise embodied under its 10 main personal data obligations; specifically the consent, purpose limitation, and retention obligations.

The benefits of data minimization

At the core of the principle is how companies should only collect and store the data they need- and delete everything else. A hindrance on the concept is the mindset of some organizations that they need store collected data indefinitely “just in case” they need it in the future.

It must be remembered that the value of data decreases quickly as the trend in the industry is dynamic. Also, data storage would entail cost and so companies cannot afford to go on collecting and storing information indefinitely. This outdated practice can lead to large stockpiles of data that can be extremely difficult to organize, manage, and protect.

Which brings us to the important role data minimization plays in cybersecurity. Too much data can bring bigger risks. This is especially true in personally identifiable data. And as you may have already known from reported incidents of data breach and data loss, a major leak of sensitive personal information can warrant hefty penalties. Not only that, your organization’s reputation with regard to effective data security may also be tarnished.

How to practice data minimization

Practicing the principle involves adherence to whatever data protection policy your company has adapted in consonance with GDPR, PDPA, or any other data privacy legislation. In sum, below are guide questions you should ask yourself for each point of data you are planning to collect:

1. Does the individual know I am collecting the data?
2. How am I planning to use this data?
3. Does the individual know why I am collecting the data?
4. Is there a way of achieving this purpose without having to collect the data?
5. How long will I need the data for to achieve the purpose?

These guide questions shall determine whether or not you need at any one stage a particular set of collected data; thus if there is a need to store it or can it already be removed from your records.

On the aforementioned Federal Trade’s PrivacyCon, privacy advocates reiterated their long argued contention that companies should only collect the amount of data necessary for a specific purpose, and then only use such for that purpose.

As previously held, data minimization proves to us that bigger is not always better. Most often, a smaller volume of data is easier to handle and afford security.

Hiring a DPO can help.

Aside from the fact that it is mandatory under the PDPA, an outsourced Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). It can ensure that in the whole process of data minimization, no obligations under the said law is being breached.

Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

Also Read: Compliance With Singapore Privacy Obligations; Made Easier!