I was working with my son on his homework last night, and before we began, I had to look in his backpack to find a pencil. I assumed it would be a fairly simple task: open a compartment and there it would be. In fact, it was a ten minute exercise of sorting through a nearly unbelievable assortment of items. His bag included (I’m not kidding), about twenty small heart-shaped erasers (a Valentine’s gift, no doubt), eight medium-large rocks, five small rubber balls, a Highlights magazine, two handfuls of pine tree bark, the entire Narnia series, and a fruit roll-up wrapper.
I had two thoughts. First, he is exactly like I was at that age (except it would have been a Bubble Tape wrapper). Second, I wondered how and why he had all of this stuff. The pine bark was for a treehouse he planned to build (reasonable enough), but the rest he had “because I have it.” He had accumulated the rest as he went along, and never got rid of it.
That’s a perfect metaphor for how many companies treat data. They amass a huge amount of information, much of it irrelevant or of marginal use, but they keep it just because it seems like it might be easier than deleting. It is an understandable impulse, but a very dangerous one, because inadvertent data hoarding puts you at odds with one of the key principles of the GDPR: data minimization.
Minimization is the concept that a data controller should keep only the amount of data necessary to accomplish its ends, and not compile a portfolio of extraneous information on customers or clients. For the EU, this is about the citzen’s fundamental right to privacy, preventing too much of their personal information from being held by those who do not need it. Under the GDPR, the less a company needs to know, the less it must collect. When asking for personal details prior to shipping goods to a customer, then, it makes sense to ask for their home address, but asking for their blood type probably does not.
If that seems like an extreme example, it shouldn’t. There are countless examples of entities accumulating huge stores of information not directly tied to the good or service they provide to customers. Consider a company that requires website users to include confidential information to verify identity – mother’s maiden name, for instance, which is a favorite target for identity thieves. If the company is hacked, even if the customer has closed their account, the risks are substantially higher for all involved than if the company had deleted the information when it was no longer necessary. In the same way, the company could have, and maybe should have, deleted the customer’s home address and phone number for the same reasons. Minimizing the data you possess decreases the risk of harm if it is stolen.
There are other ways to minimize data, ranging from pseudonymization and encryption to “fading,” where details of an account are gradually scrubbed over time. For instance, if a company once held a customer’s email address, home address, phone number, and credit card information, they could delete the credit card information after a week or two, the phone number after a few more weeks, the home address after a few months, and eventually even the email address and name after sufficient time has passed. Fading keeps a customer’s data keeps crucial information available only as long as it is necessary, and deletes it when it is not. If the customer has made no purchases in seven years, why keep a credit card number that’s likely out of date anyway?
The bottom line is that data minimization makes sense for all invovled. It protects the customer’s data and lowers the risk of harm to the company in the event of a breach. None of this is to say that companies should scrub all of their data right away; indeed, data may be extremely valuable and a crucial component of a data sharing partnership. Instead, the point is to carefully analyze the data you possess, why you possess it, and what you’re really doing with it. No CEO wants to find out that there was a data breach and that there wasn’t any good reason for the company to have kept the sensitive data that was lost.
So look through the data you have, catalog it, and decide whether it’s valuable enough to keep. You may be surprised how many candy wrappers and rocks you find.
One thought on “GDPR Countdown – 15 Weeks to Go”