The key principles of data minimization

Most general privacy laws provide some requirements for data minimization. However, at the same time, Artificial Intelligence (AI) and today’s data driven economy combine to encourage organizations to collect and retain more, rather than less personal data. With this dichotomy in mind, it may be useful to consider data minimization and its principles as applied to today’s world of Big Data and data hungry AI activities.  

At a high level, data minimization is simply the concept of collecting and retaining the minimum amount of personal data needed to accomplish a specific purpose. Increasingly, data minimization is a global standard. Not only do the European Union GDPR and GDPR-like laws require some version of data minimization, but also newer laws, including United States State privacy regulations, require similar restrictions about collecting and retaining the minimum amount of personal data possible. 

Though each jurisdiction addresses data minimization in slightly different terms, there are some helpful general principles that privacy-sensitive organizations can apply. These include: 

• Relevance: This principle advises us to ensure that all data collected and used have a rational link to the stated purpose of the processing.  
• Adequacy: The United Kingdom’s Information Commissioner’s Office (ICO) explains the concept of adequacy in this way: that the data must be sufficient to fulfil the stated purpose. In other words, adequacy is the first half of the adage, ‘collect all the data you need, and only the data that you need.’ 
• Necessity: The second half of the above adage, the necessity principle outlines the need to collect and use the minimum amount of data possible for a given purpose.  
• Retention: Given that an organization can use data and then delete the data when it no longer needs it, the retention principle advises us to delete data as soon as it is no longer necessary to retain.  

Though the data minimization principle seems straightforward and easy to apply, recent enforcement actions suggest that data minimization may be easier to talk about than to do. For example, the Enforcement Division of the US California Privacy Protection Agency issued its first Enforcement Advisory on the topic, as applied to individual rights and consumer requests. In this Enforcement Advisory, called Applying Data Minimization to Consumer Requests, the Agency underscores the foundational nature of the data minimization principle and its importance in reducing risk and enhancing consumer trust.  

However, there are actions that a responsible organization can take to help ensure data minimization.  

1. Map Data/Uses & Assess Need 
2. Review/Refine Collection Practices 
3. Establish Data Retention Schedules 
4. Manage Third Parties 
5. Communicate 

Map data

As is true for so many privacy activities, the foundational step of mapping what and how personal data flows into the organization, what systems and third parties are involved, which groups have access to the data, and when and how the data are deleted is a first step to helping ensure that the data minimization principle is met. Whatever the organization calls that activity – the data map, record of processing, or data inventory – creating this documentation will help the organization collect the information it needs to understand the ‘who-what-where-why-and how’ of personal data.  

A critical part of this is the “why” and “how.” An organization must not only document the data and systems involved, but it must also deeply understand to what purposes it puts the data and what business goals that activity fulfils. At the end of the data mapping and associated analysis, if there are data points that do not have a direct use (that is reasonable and the organization discloses), if the organization could use fewer data points or less sensitive data, or if the use itself does not fulfil a legitimate business purpose, the company may not be applying the data minimization principle.  

As a simple example, consider a company that collects name, email address, postal address, and phone number from consumers who wish to contact customer support through email. The company collects information through an online form and sends the data to its CRM system, where it also keeps its customer support ticket tracking data. The company uses the name and email address to identify the consumer in its CRM system, and to respond (with name customization) to the inquiry. The company does not call the individual, nor does it use postal address directly, except to refine searches potentially further in its CRM system and find the correct record. This data inventory and analysis exercise may point out to the company that it could eliminate the postal address and phone number from collection, or at least only collect those data points as a follow-up step for cases in which the identity of the consumer is not clear.  

Review/refine collection practices 

Once the organization has documented and analyzed the data it collects, how it uses the data, and whether there are any data minimization enhancements it can makes, the company will also find it useful to review the data collection practices for remaining data it intends to continue to collect. For example, the organization will want to consider what notices it provides, what consents it collects along with the data, and the clarity and completeness of the experience. If there are any conflicts or omissions related to data collection and use, the company can find and address those quickly.  

Establish data retention schedules

Jurisdictional privacy laws typically require reasonable data retention periods based on business needs for disclosed purposes. The previous two steps are required to determine what disclosures the organization has made/is making, and what might be a ‘reasonable’ period for data deletion. Only then can the organization establish, document, and operationalize a valid data retention schedule.  

Manage third parties

Especially in today’s world of cloud computing/storage and outsourcing, third parties may play an enormous role in data collection, consent management, use, and destruction. The data map will have identified third parties involved in the given process, so this step of communicating expectations related to all these activities should be straightforward. Pre-relationship third party assessments, data protection agreements, in-flight reviews, interactions related to consent and individual rights management, and data deletion attestations may be topics the organization may wish to address with third parties.  

Communicate

Communication is essential not only with third parties, but also across the company. Data drives so many aspects of a business, stakeholders with an interest in how the company manages data minimization range from technical teams involved in integrations and implementations, to legal and compliance teams, and on to data consuming functions like marketing, sales, and business intelligence. Involving stakeholders early in the process is important and communicating from start to finish will help ensure not only alignment, but also help make sure that key players will have the knowledge to continue to apply data minimization in the future.