Data Minimisation: A Privacy Professional’s Guide to Slimming Down Your Data

You know you need to do it, but the data minimization project is overwhelming. You have over 20 years of records – in both paper and electronic form. The records are stored offsite and online. And you recently moved your online files to Sharepoint and lost all the metadata. You maintain several legacy systems that were inherited through mergers and acquisitions that you think are no longer needed but you’re not really sure. No one has ever deleted an email. And no one wants to delete anything …  So, where do you start? 

We covered some of the other foundational elements of data minimisation, like creating a culture of minimization, earlier. We recommend reading that post alongside this one.  

Data minimisation is not a one-and-done exercise. It’s something you do continually by building into your ongoing processes. To be frank, even developing your ongoing processes will likely not be a one-and-done exercise. More likely, it will be formally implemented and will undergo ongoing improvements to be more efficient and more effective. 

But you need to start somewhere…

Back to Basics: Data Minimisation Starts with Data Mapping

The first step for any data management process – including data minimization – is to know your data.  Undertaking a data mapping exercise is a good way to do this.

Data mapping is foundational to any privacy program, and it’s the best place to start in any data minimisation project. Data mapping acts as an overlay on top of your systems maps.  It tells you exactly what information is collected (so you can work out the sensitivity and risk), the purpose of collection  (which helps you determine how long you can keep the data) and how it is used and shared (so you can check on the purpose). 

Begin with creating an inventory of the personal data you collect, the purpose of the collection, whether it’s sensitive, where it’s stored, how long you keep it, and who has access, at a minimum. More mature programs will also map hidden and/or unauthorised data flows and downloads (typically determined via your IT team). 

From There, Establish Data Minimisation as a Program

Once you know more about the data you hold, you can start designing a program to manage all your data – including timely deletion – going forward.

A foundational step in establishing that program is to find owner(s) – for your data minimization program as well as the different data holdings. 

We suggest building a committee that represents business, compliance, legal, and IT to jointly develop the program as they will all have a role to play and there are many data management decisions that will need the view of a cross-functional team. 

In terms of day-to-day management, you will want to allocate accountabilities for data – or even certain types of data – and the associated data retention/deletion obligations to particular roles. This means you need to identify who are the Data Owners with responsibility for different data assets, and Data Stewards who may have delegated responsibility for data management.  Remember, heads of different business functions should own the data assets that they rely on: the marketing manager should be the data owner for the organisation’s marketing data and the head of People and Culture should own the organisation’s employee data.  The IT and data management team are custodians and provide support but for most business related data, they are custodians, not owners or stewards.

Identifying Your Retention & Deletion Obligations

Depending on how mature your existing data management processes might be, the next step might be to more clearly identify organizational retention and deletion obligations.

Most organisations understand they need to keep tax records for 7 years but what about everything else.  How long do you keep marketing information? What about job application details?

The business needs really clear guidance on when it’s OK to delete data (whether in electronic or paper form), and this involves more than just repeating the legal record retention requirements.

Unfortunately, many data retention policies only work as a legal formality, not a business tool. We see a lot of data retention policies that only cover (and usually briefly) formal record keeping obligations. They rarely set out clear guidance on deletion, such as what, when, and how you should get rid of data, as well as how long you must keep it. 

Updating your data retention and deletion policy, and building in guidance to make it a practical, usable document, not just a formality, can really help your teams implement better information management processes.

Ultimately, the goal here is to have a system set up where every data item coming into your organization will have a safe ‘home’ until it is deleted and a system in place to ensure it is deleted on time. 

Don’t forget that your process should Involve your legal team in your deletion decisions, so they can identify legal holds and ensure deletion is appropriate and will not impact your compliance. 

When developing your retention and deletion policy, you don’t need to reinvent the wheel. You can use standards, like ISO 27555, to help.

 ISO/IEC 27555 is an international standard that offers guidance on the deletion of personal information. It helps organizations implement data minimisation principles by establishing systematic policies, procedures, and documentation for the timely and secure removal of personal information that is no longer necessary for business purposes or as required by law. (Keep an eye out for our up-coming blog on ISO/IEC 27555, we really like this standard!)

And remember, for information that may have value, you can think about alternatives to deletion – like de-identification.

 (And check out our posts on data deidentification here: https://privacy108.com.au/insights/de-identification-privacy-how-when-why/ and here https://privacy108.com.au/insights/big-data-and-de-identification/.

Implementing your Data Minimisation Program

Once you’ve got the main pillars of your program established (governance, responsibilities, data retention and deletion policies and data maps), it’s time to embark on actually getting rid of data that falls outside your retention obligations.

Here are some things to consider: 

  • While these should be laid out on your data map, you may need to do a deeper dive into the data you hold.  This might include thinking about different forms of data: emails, paper records, files stored on laptops/file shares, OneDrive, Sharepoint – as well as your key systems (where data is stored). Make sure you have a comprehensive birds-eye view of your data as a starting point. 
  • You will want to develop and use a designated system of record as you go to ensure you’re meeting your record-keeping obligations. A system of record allows you to be confident you’re retaining the necessary data for the required period.
  • Think about data that is duplicated across the organization and the best way of ‘de-duplicating.’ (Note: duplication is different to replication – which can be a useful tool for retention where properly used).

Some Helpful Data Minimisation Practices

With the above considerations in mind, some practices that those clutter-free/minimalist-types recommend on Netflix and Apple Podcasts can be helpful here too: 

  • If you aren’t sure whether you still need certain records, store them somewhere secure and see whether you or anyone else needs to access them. If you haven’t needed them in this month, quarter, or year (whatever timeframe you think is appropriate), delete them. 
  • Start small by sorting and minimizing one type of records, then get bigger as your confidence grows. 
  • Keep an eye on the bigger picture as you minimize. Remember that doing these projects will allow your business to streamline its operations, and be more efficient and cost-effective, while also reducing risk. 

Build Out Your Program: Looking to The Future

To ensure your data minimization policies are future-ready, consider the following:

  • They must be sufficiently flexible and adaptable so that they can adjust to new types of data and new storage/deletion tech stacks. 
  • You will need to regularly self-audit your existing processes to see if they’re still working. If not, go through the process of creating a practical data minimization policy again. 
  • Stay up-to-date about emerging technologies, best practices, and shifting regulations to make sure your data minimization policies remain reflective of current customer expectations. 

Prevention Is Better Than a Cure

Preventing overcollection in the first instance is better than spending time managing and deleting the data later. 

At this stage, we recommend routinely reviewing your data collection points to ensure that everything being collected is being collected with a purpose. It’s generally advisable to check:

  • Contact and signup forms on your website. 
  • Client intake forms and onboarding processes. 
  • Payment portals. 
  • Account creation. 
  • Employee records.
  • Surveys and quizzes, both internal and external. 
  • Educational records. 
  • Job applications. 

Regardless of where you are in your data minimization journey, if f you need more help, reach out to our team. 

Privacy108 will work with you to design and implement programs to uplift your privacy maturity including governance, policies, training and privacy assessments. 

We use Privacy by Design Principles when developing your business privacy program:

Privacy by design principles  Table outlining Privacy by Design principles

Contact us to learn more

 

 

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.