If you are not familiar with the privacy regulations that govern the data on your business servers, finding out is a great first step to compliance and cost savings.
Employers, healthcare providers, those who conduct financial transactions, and education, are just a few of the industries now heavily regulated by privacy laws, at the state, federal, and international level, and they all include a big section on data minimization. The proposed Omnibus U.S. Privacy Law would make another huge shift away from consent-based permission, such as fine print on in-person interactions or pop-up ad or cookie consent model online. The new model aims for data minimization in a big way by prohibiting data gathering for all but a list of permitted purposes, right from the first point of contact, requiring those that get personal data of individuals to offer an opt-out, and in any event, to get rid of the data as soon as practicable.
Business owners who did not know this can be forgiven, because the opposite has long been true. There are industries required by statute to collect personal data, such as healthcare. The transition from paper records to EHR - electronic health records, for example, was expensive for some medical providers. Federal legislation offered incentives to switch to electronic charting if providers would collect tons of patient data and then use it for population health goals, called "meaningful use."
Other industries such as finance, employment, and education also experience this tension between collecting enough data to meet regulatory record-keeping obligations, while at the same time not keeping too much data, or keeping it too long.
Businesses have profited off personal data. They have gathered personal information on employees and customers, sometimes for years. Those with commercial websites can offer ad-free content in exchange for collecting customer information to sell. Data wholesalers have made big data a lucrative product, buying information about us and selling it to political, commercial, and fundraising buyers who use it to target us with ads and other messaging. The data can be collected during sales transactions, but also just as visitors browse, answer surveys, or are followed by online trackers. The online consumer warning has become, "If it's free on the internet, then you're the product."
Owning the personal data of individuals has become very expensive, whether you have an interactive business website or not. Privacy laws, including those in California and other states, the European Union, and the draft Omnibus U.S. privacy law language, all call for businesses to adopt data minimization procedures or else pay a lot to keep personal data legally, and pay even more in the event of a data security breach, either through hackers, accidental leaks, or technical mistakes.
But what about a business that chooses the opposite route now. So how can data minimization practices increase customer satisfaction and save the business money?
Although data minimization compliance has several parts, one important piece is aging your data appropriately. Keep only current data on active platforms, and move older data off as soon as possible, stripping it of individual identifiers and destroying those identifiers permanently.
Easier said than done. But businesses that do invest in data minimization practices realize customer satisfaction boosts, because data practices increasingly must be disclosed to consumers at initial points of interaction, usually immediately before they give you their personal information, or just as they arrive at your website to browse. Customers seem to like knowing that you are paying attention to the security of their information.
Also, and even more immediately, businesses that practice data minimization enjoy an reduction in the risk of fines and costs. Privacy regulators in nearly every industry reward data minimizers with lower costs, sometimes down to $0, in the event of an incident, and some even offer data minimization as a complete safe harbor against any regulatory citations at all. Plus, the new Omnibus U.S. Privacy law appears prepared to require data minimization right from the first point of contact.
So it pays to know the data privacy regulations governing your business and to adopt data minimization that complies with those regulations. Your customers will appreciate it, and so will your risk manager.
"[The U.S. Omnibus Privacy] bill takes a data-minimization approach first,” says Sara Collins, senior policy council at Public Knowledge, a consumer advocacy group in DC, “you don't collect any more data than you reasonably need"
https://www.dataversity.net/the-trend-toward-emphasizing-data-minimization/