Personally identifiable information (PII)—from Social Security numbers and birthdates to addresses of customers and employees—is an essential part of doing business, but it’s also an enormous liability for the organizations that store it. As data is collected, control over it frequently becomes decentralized, making it harder to secure.
We regularly advise organizations on the practice of data minimization, which limits the collection and retention of information that is essential to business operations. Below, we offer important advice for businesses looking to engage in a “data diet.” Doing so will protect organizations, their customers and employees from a breach of sensitive information:
Collect Data That Is Necessary for Business Functions.
Many companies have a philosophy of “collect now, find a use later.” But collecting PII as sensitive as a Social Security number should only be done if absolutely necessary. Consider what information the company must collect to complete a customer transaction, hire an employee, or work with a vendor, and limit it to those elements. The company should seek the consent of the individual to retain such information, and provide a privacy policy that clearly states how it will be used. Regulations apply for certain populations, such as children, so be sure your organization is compliant with the law.
Eliminate, Reduce, and Re-evaluate on a Regular Basis.
Once data collection has been limited, an important next step is to eliminate, or at least de-personalize, data (particularly if it is for marketing analysis, where PII is not needed), reduce the redundancy of files, and recognize that this is an ongoing process in need of at least annual re-evaluation of minimization procedures.
Train Employees to Practice Data Minimization on an Individual Basis.
Minimization techniques do not just apply to what’s stored in the company’s database. Individual employees should recognize their responsibilities to refrain from collecting, storing, and unnecessarily duplicating information. First and foremost, the organization should provide each employee with access to only that which is necessary to perform their job duties. Beyond that, periodic desk audits may be a helpful tool to remind employees to properly dispose of unnecessary data, return paper files to a secured storage location, and refrain from duplicating information in multiple locations unless absolutely necessary.
Require Third Party Vendors to Minimize Duplication of Data.
Third party vendors should disclose any practices that include duplication or indefinite storage of data that the organization provides to them. The vendor should also provide specifics on data collection techniques utilized on behalf of the organization. To that end, contracts with third parties should include specific requirements regarding the collection, use, disclosure, repetition and disposal of data.
Look for “Hidden” Areas of Stored Data.
Is the photocopier’s memory purged so that old documents cannot be retrieved? How about the fax machine? Does the storage room have a corner devoted to old devices that were never wiped clean? Sensitive information has a way of popping up in some unique places, and generally it’s not even noticed until it’s time to return leased office equipment, upgrade computers, or clean out the storage closet.
Data minimization and elimination are sound risk management strategies that, if done correctly, will actually promote dynamic, effective data use within the organization. Rather than viewing it as a necessary evil that affects customer or employee relations, look to data minimization as another tool in the organization’s security arsenal.
By Kroll Editorial Team