In Corporate Compliance Insights, Sarah Hutchins and Robert Botkin explain how data minimization can be a strategic imperative.
"Lawmakers and regulators are increasingly concerned with the granular data points businesses maintain on consumers," they wrote. "A number of cybersecurity incidents over the past few years have highlighted risky data governance practices, such as companies maintaining data on consumers far past what is necessary for business purposes. To address these data retention practices, new laws and regulatory efforts are emphasizing data minimization."
"The practice of data minimization focuses on collecting the personal data that is reasonably necessary to provide the consumer with the service requested or purchased," they continued. "Once the data is no longer reasonably necessary to provide the services — or at the end of any recordkeeping retention period — the business must delete or aggregate the data. Therefore, think about data minimization in two parts: (1) limited collection and (2) limited retention. There are ways businesses can approach both parts to shift data minimization from a legal risk to a strategic advantage."
"If your first reaction to data minimization is “but we don’t know if we will need the data at a later point,” you are not alone," they wrote. "This was the mentality of many business leaders in the recent past. However, risk vs. reward calculus is changing amid surging cybersecurity attacks and regulatory scrutiny."
Click here to read the full article: Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis
Corporate Compliance Insights (CCI) is an independent news source for compliance, ethics, risk & information security. CCI is a knowledge-sharing forum and a publishing platform for established and emerging voices in governance, risk, and compliance.