Data Minimization is the “New Black”
2019 will be the year that “data minimization” finally becomes in vogue. The combination of privacy (GDPR, CCPA, etc. ) and cyber (23 NYCRR 500) regulations means the calculus for retaining data has evolved – since the risk of loss is now more certain than ever. …The “realized value” of information will become the new standard.
Given what it means to be “in vogue” – data minimization has the potential to become the “new black” in 2019 due to the ascendency of data privacy as an emerging right (particularly here in the states). I won’t recite the litany of country specific regulations (like the GDPR and impending CCPA), but instead will report from technology leaders like Apple’s Tim Cook:
In 2019, it’s time to stand up for the right to privacy—yours, mine, all of ours. Consumers shouldn’t have to tolerate another year of companies irresponsibly amassing huge user profiles, data breaches that seem out of control and the vanishing ability to control our own digital lives.
That’s why I and others are calling on the U.S. Congress to pass comprehensive federal privacy legislation—… I laid out four principles that I believe should guide legislation: First, the right to have personal data minimized. …
This “minimization” call to action has been heard by at least some progressive, privacy-oriented legislators:
“We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need.” –Sen. Mark Warner D-Va, cofounder of the Cybersecurity Caucus (12/6/18)
While a nationwide legislative framework isn’t without any number of challenges, some state-specific regulations already address the issue head-on. For example, the New York Cybersecurity Regulations explicitly require data minimization as a key part of the regulatory scheme.
Section 500.13 Limitations on Data Retention. As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section 500.01(g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
The use of technology to combat the privacy incursions (that technology has ironically created) is an obvious fix. This too was noted by Tim Cook:
This problem is solvable—it isn’t too big, too challenging or too late. Innovation, breakthrough ideas and great features can go hand in hand with user privacy—and they must. Realizing technology’s potential depends on it.
As notions of data minimization become a “must have,” there are broadly two ways to solve the proliferation problem. The first is the type of data clean-up that is a core element of a mature information governance program. File analysis software provides this clean-up functionality as table stakes, either as part of ROT (redundant, obsolete or trivial) elimination or as a precursor to a data migration.
While clean-up is certainly an effective way to minimize data accumulation, it unfortunately doesn’t dam the information-creation stream. This is where “minimization by design” must come to the rescue. Like “privacy by design” notions, this framework requires minimization concepts to be built in during the earliest phases of a data accumulation program. Importantly, albeit simplistically, it asks companies to consider why they might retain any category of content in the first place.
In many ways this will be the biggest challenge, since we’ve created information systems that (by design) won’t stop over-retaining information.
“Three decades of innovation in the archiving, backup and recovery industry have made it nearly impossible to truly ‘forget’.” – Gartner analyst Nader Henein in “Practical Privacy — Managing Data Retention and Backups”
Despite the foregoing minimization challenges we’ve now come to the point where the notion that “all data is good” – is simply inaccurate. The new calculus needs to center on the “realized value” of information, which will force companies to discard anything that doesn’t have certain, legitimate business value. Any retention beyond this narrow class likely is of toxic information, which is almost certain to lead to fines, sanctions, liability and reputational harm.