Minimizing privacy requirements is good for business

At Assured SPC, we help businesses satisfy regulatory and third-party requirements for information security and consumer/resident privacy.  Whenever possible, we provide guidance on how to avoid and minimize cost and impact of privacy compliance requirements.

There is an answer

Businesses have a right to minimize the ongoing effort and cost of privacy compliance. And there is one foundational method to do this.  The answer is in data minimization.  Data minimization is conceptually simple. It is done by avoiding the collection of personal information that does not have a justifiable business purpose and deleting personal information that was previously collected but no longer has a valuable business purpose.  In short, if you don’t have it, you do not need to protect it and you can minimize the time and expense responding to consumer rights requests, e.g., to provide portability, correct their stored personal information or delete it.

Laws require data minimization

Beyond minimizing personal information in the interest of the business, GDPR and the CPRA amendment to the California Consumer Privacy Act, CCPA, require that organizations do this. They require conscious evaluation of business purpose to collect, store and process personal information. And they require that organizations establish retention policies and administratively enforce the retention policies that have been established.  It’s like the laws tell organizations that the Spring cleaning that you’ve always wanted to do must be scheduled and cannot be ignored.

The when and how of data minimization

GDPR requires businesses to minimize data now.  And for businesses not covered by GDPR, it makes sense to start now anyway. It is good for business, it takes time and it is likely mandated in the future.  Looking for our business advice on the least costly way minimize personal information? Here is a list of steps to begin your journey to data minimization:

Document policies and procedures

  • Create Policies for Retention, Information Classification and Information Storage
  • Create Information Handling Procedure

Execute procedures

  • Understand what you collect, store and process through data mapping (we recommend an iterative approach) where you capture the purposes, categories and attributes of personal information across all business assets/data stores
  • Delete any documents and database records containing personal information for which there is no justifiable business purpose
  • Organize a cross-functional team to define retention policies for each data source
  • Document, approve and train employees on the retention, information classification and information storage policies
  • Define and ideally, automate, procedures to remove data that passes the retention period
  • Implement an scheduled administrative procedure to verify that retention periods are enforced

Security and Privacy by Design

It is wise to design and build retention schedule functionality into custom written applications. And for third party applications, verify that retention management functionality is built in and configured to operate.  Examples of third party applications would include CRMs, ERPs, file storage apps like OneDrive, Google Drive, DropBox and email.

Here are some other links that may be of interest:

Assured SPC’s Managed Privacy Service

What is the diffference between Security and Privacy

Assured SPC HIPAA Compliance Services

Operationaling CCPA with reduced risk and cost

  

#dataprivacy #boardmembers #directors #datasecurity #cybersecurity #ccpa #cpra #gdpr #bipa #nyshield

 

opens in a new tab)