With cyberthreats prevalent, is collecting, storing and protecting vast amounts of data still the smart move, or is “overcollection” leading to overexposure?
You don’t have to protect what you don’t have.
This is a fairly obvious idea, but somewhat the opposite of most cybersecurity recommendations held here in the United States. But as IT teams find it increasingly difficult to keep an organization’s data safe from cybercriminals, perhaps it’s time for US companies to rethink European data minimization practices. .
What exactly is data minimization?
Data minimization is a common principle of European privacy, but has never been an American approach. It’s a data governance focused practice that deliberately decides what data to collect so that the organization doesn’t “overcollect.” Data minimization experts advise you to determine what data you need to run your business and not collect or store anything else.
In contrast, the American mindset has always been that data has value and that organizations should collect all the data they can get their hands on. As anyone who has been the victim of double or triple extortion will surely tell you, keeping all your data, especially if it’s stored in the cloud, isn’t always beneficial to your organization. yeah. Rather than focusing solely on retention and protection policies that determine how long data is retained and how it is stored securely, it is time for businesses to consider whether they need to collect that data in the first place. .
I have good news for you. This is not a control you have to pay to have in place. Data minimization is simply a matter of self-discipline on the part of organizations to collect only what is necessary. This can be reflected in internal policies and project design principles, and by definition can minimize the amount of data a hacker can potentially exfiltrate from your company and use against your users.
What are the policies governing data minimization?
Although the United States has not historically adopted the concept of data minimization, the enactment of data privacy legislation at the state level in the United States, including the California Consumer Privacy Act (CCPA), and the California Privacy Act’s CCPA With the strengthening of , it has now become a timely topic. Rights Act (CPRA) and numerous other state-level privacy laws. All of these are aimed at improving data privacy for residents of their respective states.
The CPRA specifically gives California residents the right to know when and how their information is collected and sold, and the right to opt out. The CPRA also requires companies to “ collect additional categories personal information or use personal information I collected “For additional purposes inconsistent with the disclosed purpose,” and “Companies must not retain consumer personal information for longer than is reasonably necessary.”
In Europe, the principle of data minimization is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725. In accordance with these guidelines, organizations must ensure that the personal data they are processing is sufficient to adequately achieve the stated purposes. Relevant and reasonably related to its purpose. And no organization is limited to what is necessary and retains more than is necessary for its purpose.
How do you decide what’s right, relevant, and what’s needed?
The European Union (EU) Data Protection Authority (DPA) does not formally define terms such as appropriate, appropriate, and necessary, but provides guidance and checklists to help organizations consider these principles. doing. A common theme across all relevant guidance is that regulators do not allow organizations to collect data incidentally that they might need at a later date.
Companies operating in the EU and/or holding data belonging to EU data subjects must ensure that data subjects have the right to erase their data within the EU and do not erase it when asked to do so. We recommend that you keep in mind that an investigation may be conducted. Fines or Enforcement Notices. These requirements are in place to protect EU nationals. Therefore, they do not only apply to EU organizations. The GDPR has extraterritorial effects, so organizations hosting personal data related to EU nationals must comply with these requirements, regardless of location.
CPRA takes a slightly more aggressive approach to data minimization. The regulation stipulates that businesses can only collect the minimum amount of personal information necessary to fulfill the specified purpose, and that they must take into account the potential negative consequences of collecting too much data. . Like the GDPR, the CPRA retains key terms such as “minimum personal information.” “Required information” and “more time than reasonably necessary” are not defined.
Is data minimization a practice your company should adopt?
Companies considering implementing data minimization best practices should start by asking themselves why they need the data they collect. If necessary, policies should be redesigned so that companies collect and retain only the minimum amount of information. Second, regular reviews of organizational processes should be carried out to ensure that the personal data held by the organization remains relevant and appropriate for its purpose. You should also promptly delete anything that is no longer needed.
Data minimization in itself is not a comprehensive cybersecurity strategy. However, it can be an effective part of a multi-layered security strategy for businesses that don’t want to bear the responsibility of storing and protecting more data than they need.
The opinions expressed here are those of the author.
Barra Larson Head of Client Experience at beasley, which she joined in 2007 as a mid-market specialty insurance underwriter. She currently manages the company’s Northwest region while also underwriting strategic wholesale accounts for top broker partners in the region. Larson is based in San Francisco.
from: property casual 360