Companies want to understand the needs of their customers. By doing so, many try to collect as much data about them as possible, thinking that more is better. However, in this blogpost, we will discuss why this mindset can be an expensive one. We will elaborate on the concept of data minimisation. You will learn why keeping less data is good practise and how data minimisation relates to GDPR.
Let’s say that you work as a salesperson in a company. A company that like most, depends on returning customers. Your company has highlighted the importance of creating personal relations with every customer. However, you find that many customers are quite similar, and you have a hard time distinguishing them from each other. To avoid the awkward situations where you confuse the customer with another, you have created a file where you store information about the customer and the topics of the conversation you have had with them.
What you have not considered is the risk of storing this data, and the compliance of GDPR. If your company would experience a data breach – where an unauthorised person gets access to your file of customer information, you will be obligated to report this to your national data protection agency. As a part of the process, you must also inform the affected customers that their data could be in the hands of cybercriminals. A conversation that can have much more severe consequence than not remembering the last conversation you had with them. Not meeting the requirements of the GDPR can lead to a huge fine that your organisation must pay. Your organisation may also receive negative press and a bad reputation, making the customer lose faith in you.
When organisations began to understand the power of data, and whilst it has become much easier to collect, many have had the impulse to save all the data, forever.
However, when GDPR was implemented, the regulation highlighted this issue, as its focal point is the individual’s fundamental rights to protection of their personal data. Meaning that organisations are not allowed to store data about their customers permanently because that goes against protecting individual rights. Therefore, data minimisation has become one of the seven principles of GDPR.
The principles summarise the many requirements of GDPR, and they are an essential resource when understanding how to achieve compliance. They can be very helpful for smaller companies that sometimes lack the resources to apply data protection experts to guide them through compliance.
Data minimisation refers to the limiting of data collection to only what is required to fulfil a specific purpose, which corresponds with the individual right of data protection. Following this principle has multiples benefits. If a data breach would occur in your organisation, the unauthorised individual will only have access to a limited amount of data. Furthermore, as a result of removing outdated data, the data that will be stored will be more accurate and up to date.
It is your organisation’s responsibility to control and assess how much data is vital to conduct in your business, and that irrelevant data is not collected. GDPR states when handling personal data, it should be adequate, relevant and limited to what is necessary for the purpose. Meaning that data must be sufficient to properly fulfil your organisation’s purpose (adequate). To the purpose, there is a rational link to the data (relevant) and your organisation does not hold more data than needed for the defined purpose (limited).
Many organisations may just limit their data collection to comply with the requirements of GDPR. Some people may think that data minimisation is only something that must be done to avoid a fine from the data protection regulation. However, applying data minimisation will create many more positive outcomes.
Data minimisations reduce the risk of data loss and breaches, as fewer records reduce the chances of damage. It creates a more efficient data storage; your team can spend less time searching through archives and the data they retrieve is accurate because they can be sure that the data is not obsolete. Furthermore, it creates a faster response to request, because there is less data to look at. It also gives you a more satisfied customer. Many customers are becoming more aware of the value on their personal data, they will trust a company more if they know that their data will not be misused. Finally, data minimisation reduces cost. Since all data storages cost money, having less of them will save your organisation some expenditure.
If you want to implement data minimisation in your business, you can pursue the following guidelines that will help you in the right direction.
Begin with diminishing your data collection, your organisation must define which data is necessary to conduct your business, and which is not. You must also create clear and defined protocols on which employee can access specific data. For example, it is relevant for the person that is responsible for the payment of salary to have credit card information on the staff, but that is not relevant data for an employee working within customer service.
Secondly, manage data regularly. The data collected will sooner or later become out-of-date, which must be considered. With data minimisation, you will make sure that the databases are regularly updated to only keeping the relevant information.
Thirdly, delete data systematically. This is a core aspect of data minimisation. When user data becomes old, it will be useless for your organisations need and will only take up unnecessary space. You need to be sure that all the data in the organisations is valuable.
You can read more about our awareness training course for data minimisation here.
Creating overall guidelines for how to achieve data minimisation is a good start. However, you must also teach your employee the right mindset they can use on their everyday basis. The right approach from the employees is the foundation for compliance, both when it comes to data minimisation and GDPR, but also your organisations overall cybersecurity.
When your team collects data, they should remember five questions to be answered before the data is obtained:
By asking these questions, your team will understand what type of data your organisation must store and which you cannot store.
When your organisation is following the guidelines and when the employees remember the questions, will you achieve data minimisation and be one step closer to complying with the GDPR.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.