Data minimization: What it is and why it matters

In a world of cheap, effectively infinite cloud storage, it can feel like there’s simply no need for the delete key. After all, we can keep everything forever, pay next to nothing per item, and never worry about it again, right? Well, not exactly. 

Data has costs that go beyond the infrastructure bill, and retaining it forever can put your organization at risk in unexpected ways. The cost/benefit calculation isn’t as straightforward as you might think.

In this article, we’ll outline the hidden (or not-so-hidden) costs of retaining data. We’ll also explore how a focus on data minimization can both reduce these costs and enable your team to get more out of the data you do keep.  

But first, let’s take a look at what data minimization is and why it matters. 

What is data minimization? 

Data minimization is the practice of collecting and retaining only the personal data you need for a specific purpose, such as complying with legislation or delivering a service. The business should also only retain the information for as long as it takes to meet that purpose. 

A key element of data minimization is removing redundant, obsolete, or trivial (ROT) data. This data naturally accumulates over time in normal business operations, but it serves no purpose and can pose serious security and compliance risks when retained.

‍

A solid data minimization strategy can help your business mitigate the risks that come with storing and retaining ROT data. 

Why data minimization matters

For a start, retaining too much ROT data makes it easier for hackers to find an entry point into your systems. There’s also the cost factor, with data storage, management, and transfer costs quickly skyrocketing as a business possesses more information. 

Most importantly, though, limiting data is a core principle of compliance standards like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), both of which limit businesses to collecting and retaining only the customer data they need. 

For a stark reminder of the risks of retaining too much sensitive data, look no further than the 2024 Medibank breach. After failing to protect sensitive records of over 9.7 million Australians, the company now faces fines of more than AU$125 million, along with lasting reputational damage. 

Failing to practice data minimization doesn’t just impact your bottom line. It creates a liability that puts your customers and your business at risk. 

Core principles of data minimization 

Data minimization has a few key principles designed to help businesses manage data responsibly and reduce risk: 

• Purpose limitation: You should only collect and retain data if it’s for a clear purpose. Also, you shouldn’t use this data for any reason other than for its intended purpose. 
• Necessity and proportionality: You should only collect the exact amount of data you need for the given purpose. Don’t gather any excess information that isn’t necessary. 
• Accuracy: All of the personal data you collect needs to remain up-to-date and accurate. You should dispose of any incorrect or outdated information as soon as you discover it.
• Integrity: Any data you collect and retain needs to be protected from malicious attacks, damage, loss, and unauthorized access, both from external and internal threats. 
• Storage minimization: You shouldn’t keep your data for any longer than necessary. Once the information has served its legitimate purpose, you should delete it. 

These five data minimization principles will lay the foundation for your framework. Later in the guide, we’ll use these concepts as a starting point for a data minimization strategy. 

Benefits of data minimization

Let’s reiterate why data minimization is so important and how it can benefit your organization. Here are six benefits to consider, both for consumers and businesses:

‍Understanding the risks

The argument for ‘keeping everything’ usually revolves around the perception that data should be retained because ‘we might need that one day’. The reality, however, is that keeping information too long can increase various types of risks for your business:

• Regulatory risks: Most jurisdictions with privacy regulations stipulate that you can’t keep personal information any longer than you need it or for any purpose other than what you collected it for. Keeping any amount of personal information on your system ‘just in case’ isn’t an acceptable defense, and it can expose the business to significant financial penalties and reputational damage.

• Security risks: Keeping outdated file formats can create additional data security risks. As those formats are no longer maintained or patched, they may enable malicious actors to orchestrate a data breach or open the organization up to more general system failures.
• Process risks: The more content you have, the less efficient your business becomes. It also increases the chances that you’ll base decisions on outdated or incorrect information. This can lead to legal, financial, and reputational damage.

Calculating the cost

We often think of data retention costs as a relatively simple dollar amount per TB ratio. However, when calculating the true cost of storage, you also need to look at other dimensions, including:

• Replication costs: Some organizations have clear requirements to replicate data across regions, typically to improve availability or disaster recovery processes. If you’re replicating critical datasets across different geographical regions, you’re effectively doubling the amount of data you store. You should expect to incur additional costs as a result, possibly up to 100%.
• Transfer or egress costs: If you transfer data from your storage provider, either as part of a business process or as part of a larger data migration, you can incur additional costs.

1. Management costs: Your provider could charge management costs, or your team could incur indirect costs as they carry out data management tasks. It covers a broad range of items, including the cost of data transfers across tiers of storage (for better cost effectiveness), cloud monitoring to ensure data integrity, and security activities (encryption, penetration testing, security architecture changes, etc.).

While you may be paying $0.023 per TB of data, that number may pale in comparison to the direct and indirect costs above. Even worse, this investment may be going toward managing data you don’t even need (or want) to keep, which is data that could cause your organization harm by retaining it.

Overcoming the fear of hitting delete

So, what can you do? 

At its heart, the solution revolves around developing a better understanding of your data, or separating the wheat from the chaff, if you will. To put it simply, the solution is data minimization.

After you do that, you can work toward appropriately reducing the amount of data you’re keeping on an ongoing basis.

How to implement a data minimization strategy

Now that you understand the issues that a lack of data minimization causes, you can start the process of fixing the problem. 

Here’s a high-level guide to implementing a data minimization strategy so your organization can begin achieving its business objectives. 

1. Understand your data

What do you have across your data corpus? What formats and date ranges do you see? Can you determine the purpose/process it was collected for? 

Start by mapping out the data you hold, both structured and unstructured, across all departments and platforms. This process can be challenging, especially if your data is spread across dozens of silos, but RecordPoint can centralize all of your data across all of your systems, no matter where they live, giving you a unified view of every piece of data you own. ‍

2. Define ‘value’ in the context of your business

Not all old data is automatically without value, but it’s likely you have a lot of information that’s no longer relevant. Before you can decide what to keep and what to dispose of, though, you need to define ‘value’ for your organization.

For example, you may decide that valuable data must do one of the following:

• Ensure compliance
• Enable core operations
• Drive decision-making
• Improve customer experiences

You’ll also need to establish clear criteria to measure value. For regulatory compliance, this is often a black-and-white issue, but for improving customer experiences, you may decide that data needs to demonstrate a clear link to customer satisfaction scores.

Defining these benchmarks will help you ensure you aren’t collecting data ‘just in case’ when it actually has little value for your organizational goals. ‍

3. Identify associated risk

Different data sets have different levels of risk; personal information, for example, may carry higher levels of risk, depending on your jurisdiction. It’s important to map out the risk level per data set and determine the acceptable risk levels in your unique context.

From there, you can begin to plot the data on a value/risk matrix. This will help you identify which data requires stricter controls, which you can safely retain, and which you should dispose of to mitigate risks. 

4. Take action

Following all of the steps above, you should now be in a position to profile your data. Analyze each datapoint to answer these questions: 

• Does it have value according to your defined benchmarks?
• Does it pose unnecessary risk relevant to that value?
• Can it be disposed of without impacting compliance or regular business operations? 

Use these benchmarks to take appropriate action and get rid of any information that you don’t need and could cause undue risk to the organization.

5. Turn your processes into policies

Now that you’ve taken action to minimize what you hold, you can make the process sustainable by transforming it into a series of formal data governance policies for how your information is collected, used, stored, and deleted. Here are some of the most important:

• Data retention policy: This lays out how long different types of data should be retained based on compliance and business requirements. Automate the retention process where possible. 
• Data collection policy: This will identify what data your business can collect, why you’ll collect it, and who must give their approval that it’s in line with your business goals.
• Data access policy: This is where you spell out who can access different data types. Use role-based access controls to ensure employees only see the data they need to complete their tasks. 
• Data processing policy: Outline clear rules for how data can be used, making sure it is only processed for its original purpose in a way that respects the rights of data subjects. 
• Data disposal policy: Define secure disposal methods for digital and physical data to ensure that data you’ve disposed of can’t be retrieved and reused. 

Remember to educate your employees on the concept of data minimization through ongoing training sessions. Ultimately, they’re both your biggest asset and the weakest link in your minimization efforts. It’s important to create a culture that associates data with accountability. 

‍

How RecordPoint can help

If you’re worried about the impact of ROT on your organization, but you lack the time and resources to conduct the review manually, RecordPoint could be the solution.  

As part of our commitment to high-quality information governance outcomes, we developed File Analysis. File Analysis is a simple and efficient way to discover what's in your file share data, identify high-value (and low-value) data, and give you the intelligence to understand what you can do with it next. Empowered by your customized File Analysis report, your organization can make cost-saving and risk-reducing migration decisions about that data. 

File Analysis ensures you retain only the right information, with ROT data clearly identified for easy deletion. 

FAQs

Is data minimization required by law?

Yes, data minimization practices are required by multiple compliance standards, including the GDPR and CCPA. These laws mandate that you only collect and retain personal data that’s absolutely required for a specific purpose. Failing to follow these laws can lead to heavy fines and, of course, irreversible reputational damage. 

What is the difference between data minimization and data retention? 

Data minimization focuses on collecting only the bare minimum amount of data you need. Data retention, on the other hand, decides how long you keep that essential data once you have it in your possession. The two processes go hand in hand. One ensures you don’t collect more data than necessary; the other ensures you don’t keep that data any longer than you need it. 

What tools can help with data minimization? 

The right tools can help you with all data minimization requirements, from unifying and discovering your data to flagging ROT information with the support of AI. For example, RecordPoint can help you centralize all of your data to gain total visibility of your information. Then, our AI data classification and custom retention schedules support proactive data minimization by automatically identifying and disposing of redundant, obsolete, or trivial records. 

Does the EU AI Act impact anything?

Yes, the EU AI Act expands many of the data protection principles established under the GDPR. The legislation stipulates that any personal data used to train and deploy AI models should be strictly relevant and limited to what’s necessary, making data minimization principles essential when working with AI systems.