Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

Chilon of Sparta is credited with the proverb “less is more.” If only he knew the entire Library of Alexandria could fit on a single flash drive today. (He may still have concocted a clever proverb for that, too.) 

Let us not think of Chilon of Sparta as some sort of neophyte, however. The size of the global datasphere — a measure of the total amount of new information, created, captured and consumed each year — is simply staggering: IDC estimates that by 2025, this figure will reach 181 zettabytes (one zettabyte is equivalent to a trillion gigabytes). That’s almost 12 times the size of the global datasphere in 2015. Clearly, the amount of data collected by businesses is still exponentially increasing with no plateau in sight due in part to the rise of connected devices, such as microwave ovens, water pumps, red light cameras and more. 

“With great data comes great responsibility.” — Some lawmaker (probably)

Lawmakers and regulators are increasingly concerned with the granular data points businesses maintain on consumers. A number of cybersecurity incidents over the past few years have highlighted risky data governance practices, such as companies maintaining data on consumers far past what is necessary for business purposes. To address these data retention practices, new laws and regulatory efforts are emphasizing data minimization.

The practice of data minimization focuses on collecting the personal data that is reasonably necessary to provide the consumer with the service requested or purchased. Once the data is no longer reasonably necessary to provide the services — or at the end of any recordkeeping retention period — the business must delete or aggregate the data. Therefore, think about data minimization in two parts: (1) limited collection and (2) limited retention. There are ways businesses can approach both parts to shift data minimization from a legal risk to a strategic advantage.

Increasing requirements to minimize data 

If your first reaction to data minimization is “but we don’t know if we will need the data at a later point,” you are not alone. This was the mentality of many business leaders in the recent past. However, risk vs. reward calculus is changing amid surging cybersecurity attacks and regulatory scrutiny. 

The FTC’s focus on data minimization in enforcement actions has increased over the past few years. In one example, Weight Watchers settled with the FTC over allegations it retained personal information collected online from a child for longer than reasonably necessary to fulfill the purpose for which the information was collected. Attention to data minimization also appears in the FTC’s recent modification of the safeguards rule under the Gramm-Leach-Bliley Act to codify data minimization requirements for many businesses. 

Data minimization is becoming part of the legislative landscape in other ways as well:

• The American Data Privacy and Protection Act being considered by Congress requires data minimization.
• All five new state data privacy laws that come into effect in 2023 have data minimization elements.
• Laws in the EU, China and Brazil all have data minimization requirements. 

The business case for data minimization

Decreasing the amount of data collected and stored enables your organization to increase processing speed and data queries, reduce the total cost of data storage and limit the consequences of a data breach.

If time truly is money, then maximizing database performance to minimize the response time of your queries is easy money. Maximal performance can only be achieved by understanding the logical and physical structure of the data, as well as how the conflicting or duplicative uses of your database might affect performance. Limiting the data collected and stored to only data that’s truly essential ensures that old, stale data does not cause unnecessary delays.

Saving money might be even better than saving time. By lowering the overall volume of data stored in the databases, businesses can also lower the bill from their cloud service provider, which typically charge monthly per-gigabyte storage fees. While reducing the total amount of data held by the business would reduce storage costs, it also reduces the long-run cost of governing, structuring and migrating the data.  

It should come as no surprise that data breaches are expensive, negatively impact a business’s reputation and make retaining staff, hiring new staff and managing vendor/customer relationships challenging. The more data, the more expensive the data breach is likely to be. 

In addition, statutes that include an explicit private right of action provide another tool for litigants. California, for example, affords consumers the right to recover between $100 and $750 per person where the business failed to maintain reasonable safeguards resulting in a breach. Litigants avail themselves of other theories of recovery, including negligence, fraud, unfair trade practice claims and breach of contract. Data minimization promotes deleting the personal data of each customer who has not interacted with the business in two or more years. By creating a cut-off point for when data should be deleted, the business cuts down the total number of consumers and, in turn, the total cost of the data breach. 

How to capitalize on data minimization

In order to achieve the strategic advantages above, businesses should take a few practical steps to implement data minimization practices:    

Learn what is valuable to the business. It is important to interview all stakeholders, including the marketing department, in determining what is truly necessary for business purposes. In some settings, it is patently obvious what information is valuable to the business, such as an address for a company that delivers goods, Social Security numbers for credit card companies or biometric information for certain authentication companies. 

In other instances, it is clear that the business does not need the data or does not need the granularity of such data. A great example is a birthdate. Your business sends out a coupon to customers on their birthdays (because who doesn’t love a good coupon?). Birthdate is, under some laws, personal information only when collected in full. If the business is minimizing data collection, the full day, month and year likely is excessive. The service can be provided by collecting only the day and month, but if the business collected the consumer’s age, then just collecting the birth month may be sufficient. We now have successfully identified what data the business actually needs to perform the services. 

Once it is understood what data is collected and for what purposes, document it. A document that maps how data is collected, what data is collected and why data is collected is valuable for any data governance program. 

Active data governance. Good data governance programs include data verification and validation processes that occur before or at the time data is collected. Leveraging automated tools to handle manual processes for sorting, organizing and classifying data breaks down database silos. For example, data is collected and stored as a customer moves through the online retail experience, purchases a product and calls customer support. Ensuring the data can be shared across the organization allows the customer to move through the process seamlessly. Importantly, product development teams can identify trends in what questions customers had and the reasons products were returned without having to restructure the data sent by different departments. 

Data retention schedules. A data retention schedule is the crown jewel of the data retention policy and is increasingly required by applicable regulations; proactively creating a data retention schedule pays dividends. Data retention schedules complement data mapping exercises to explain how the business decides when to delete data — for example, deleting all accounts if not used in the past two years. Lining up a method to determine when data is no longer needed and can be deleted is key to rounding out the data lifecycle and creating metrics for the compliance function. Normalizing the data retention schedule with employees also is critical to building institutional awareness of the business’s expectations for data retention. It is important to note that adopting a retention schedule that is not followed is the open-and-shut case regulators and plaintiff attorneys dream about. In the words of Bob Burns, “Don’t just talk about it, be about it.”    

Conclusion

Data minimization can be a strategic imperative. Highlighting the cost-saving benefits to stakeholders in your organization is key to gaining buy-in. For data protection and governance projects, showing the business the benefits of a new practice will be an easier sell than showing them why they need to stop their old practices. 

Sarah Hutchins leads Parker Poe’s Cybersecurity & Data Privacy Team. Her experience with business litigation and government investigations strengthens her cybersecurity and data privacy practice. She is recognized by the IAPP as a Certified Information Privacy Professional/United States (CIPP/US), which is the gold standard for privacy professionals in America. 

 

Robert Botkin is an attorney in Parker Poe’s Cybersecurity & Data Privacy Team. He helps clients navigate data privacy issues and assists with developing privacy policies, responding to security incidents and implementing data governance programs.