How to Comply with Data Minimization Best Practices

(Andrii Yalanskyi/Shutterstock)

The topic of data privacy is heating up at the moment, with consumers and government bodies more worried about data anonymization, invasive tracking, and illegal data harvesting than before.

In this environment, the process and practice of data minimization is a key–yet often overlooked–part of data privacy. Let’s take a closer look at this important concept and how it should change the way companies handle your data.

What is Data Minimization?

Data minimization is the process of trying to collect as little data as you need and only keep it as long as you need it. The concept has been around for a while, but the EU codified it into law with the mandatory General Data Protection Regulation (GDPR).

According to the GDPR, “a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. They should also retain the data only for as long as is necessary to fulfil that purpose.” In the States, data minimization is merely considered a best practice, but it may become law soon as attorneys and consumers press the Federal Trade Commission to address data minimization.

One of my recent experiences provides a useful anecdote to illustrate the importance of data minimization. I tried to opt out of marketing messages from a large, well-known, recently acquired data company. In order to opt out, the company told me that they needed my Social Security number. That is way more information than any company should require from me just so I can opt out of marketing outreach, and it demonstrates a truth about many businesses: They try to make opting out as difficult as possible.

There’s a lot of pushback against data minimization from corporations, and with reason. I find tech companies tend to have a hoarder mentality about their data. If you ask marketers or CTOs to purge their data collections, you’ll almost always hear something like, “Oh, but what if I need it later?” or “I’m sure I can find a way to use this!”

But change is coming. Today, data minimization is a best practice in much of the world. Tomorrow, it may be a global legal requirement. Let’s talk about how to comply with data minimization best practices–and also why you should.

Why Should I Comply?

(everything-possible/Shutterstock)

There are a number of very good reasons to comply with data minimization best practices. First, it builds trust with consumers. You may not think they care, but consumers appreciate being given information and choices about how their data is used. I found this new study by MAGNA Global and Ketch especially illuminating in that regard, as it showed that a full 74% of respondents rank data privacy as one of their top values.

Second, as I mentioned–and warned–above, change is coming. The progress may start as a patchwork of laws, and progress may be inconsistent. But Illinois’s Biometric Information Privacy Act (BIPA) and California’s Consumer Privacy Act show us that voters want data protection.

You may think that you have time to worry about data minimization policies later when stricter laws are in full effect. Indeed, in the EU, businesses were given two years to make necessary changes to adjust to GDPR. But when China introduced similar legislation called the Personal Information Protection Law (PIPL), businesses got just four months.

Data minimization is also good data hygiene. You’re liable for all the data you hold, and the more of it you have, the tastier a target you are for hackers. For example, T-Mobile kept the data of 40 million customers it no longer did business with. Why did it keep this data? What possible use could it have had for that data? We’ll never know.

However, hackers got access to the first and last names, date of birth, Social Security numbers, and driver’s license/ID information of those 40 million customers. Naturally, those 40 million were more than happy to file a class-action lawsuit against T-Mobile, who is now on the hook for $100 to $750 in damages per customer per violation.

How to Comply with Data Minimization

By now, you’re hopefully convinced that data minimization is at least worth considering. Let’s talk about some strategies to implement best practices in your business today.

(kirill_makarov/Shutterstock)

First, identify the data you need and want from your customers. Look, I’m in the business of data-driven marketing, so I know that’s a painful process. I once had a British marketing exec tell me that his marketing cookies were absolutely necessary for a site to function because they helped the website make money. I had to break it to him that he was violating GDPR. He was not pleased about it.

But the sooner you do it, the sooner you’ll be prepared for future regulation. Plus, you may find that you actually save money by doing this. I have come across so many businesses that were saving truly useless data, and yet still paying to collect and store it.

I also recommend setting a time cap on how long you store data. A yearly data audit can help you ensure you’re not storing data from customers that you don’t have anymore, or data that you only needed for a single process. For example, maybe as a recruitment agency, you store data about the medical conditions of applicants for a particular job. Once that job is filled, you should not continue storing that medical data.

Finally, be proactive about communicating with your customers. This veers more into wider best practices of data privacy, but if you share the how and why of data collection with your customers, you’ll quickly find what information they’re happy to give you and which you should stop collecting. For example, you may tell all web visitors to your ecommerce website that you’re storing what products they view and what they buy, to ensure you deliver relevant recommendations in the future.

Data Minimization as a Best Business Practice

I’m a fan of minimalism generally, and I find it’s good for data, too. Many companies worry that less data equals less power, but I believe that data minimization can actually be a helpful business practice, not just a potential legal requirement. With less data, you can focus more on the signal and less on the noise. You’re not as likely to inadvertently compromise your customers’ data. And you’re building more trust with consumers.

All in all, data minimization is a good idea for any business.

About the author: Timur Yarnall is the founder and CEO of Neutronian, a SaaS company that provides data quality and compliance verification services. Neutronian also developed the NQI Certification, a comprehensive data quality, compliance, and transparency certification, to bring more trust and transparency to the marketing industry.  You can connect with Timur on LinkedIn here.

Related Items:

A Culture Shift on Data Privacy

Regs Making Legit Data More Valuable, Neutronian Says

Anger Builds Over Big Tech’s Big Data Abuses