Minimizing privacy requirements is good for business
At Assured SPC, we help businesses satisfy regulatory and third-party requirements for information security and consumer/resident privacy. Whenever possible, we provide guidance on how to avoid and minimize cost and impact of privacy compliance requirements.
There is an answer
Businesses have a right to minimize the ongoing effort and cost of privacy compliance. And there is one foundational method to do this. The answer is in data minimization. Data minimization is conceptually simple. It is done by avoiding the collection of personal information that does not have a justifiable business purpose and deleting personal information that was previously collected but no longer has a valuable business purpose. In short, if you don’t have it, you do not need to protect it and you can minimize the time and expense responding to consumer rights requests, e.g., to provide portability, correct their stored personal information or delete it.
Laws require data minimization
Beyond minimizing personal information in the interest of the business, GDPR and the CPRA amendment to the California Consumer Privacy Act, CCPA, require that organizations do this. They require conscious evaluation of business purpose to collect, store and process personal information. And they require that organizations establish retention policies and administratively enforce the retention policies that have been established. It’s like the laws tell organizations that the Spring cleaning that you’ve always wanted to do must be scheduled and cannot be ignored.
The when and how of data minimization
GDPR requires businesses to minimize data now. And for businesses not covered by GDPR, it makes sense to start now anyway. It is good for business, it takes time and it is likely mandated in the future. Looking for our business advice on the least costly way minimize personal information? Here is a list of steps to begin your journey to data minimization:
Document policies and procedures
- Create Policies for Retention, Information Classification and Information Storage
- Create Information Handling Procedure
- Understand what you collect, store and process through data mapping (we recommend an iterative approach) where you capture the purposes, categories and attributes of personal information across all business assets/data stores
- Delete any documents and database records containing personal information for which there is no justifiable business purpose
- Organize a cross-functional team to define retention policies for each data source
- Document, approve and train employees on the retention, information classification and information storage policies
- Define and ideally, automate, procedures to remove data that passes the retention period
- Implement an scheduled administrative procedure to verify that retention periods are enforced
Security and Privacy by Design
It is wise to design and build retention schedule functionality into custom written applications. And for third party applications, verify that retention management functionality is built in and configured to operate. Examples of third party applications would include CRMs, ERPs, file storage apps like OneDrive, Google Drive, DropBox and email.
Here are some other links that may be of interest:
#dataprivacy #boardmembers #directors #datasecurity #cybersecurity #ccpa #cpra #gdpr #bipa #nyshield