By Vishal Salvi, Chief Information Security Officer & Head of Cyber Security Practice – Infosys
Data minimization is one of the most important principles your business can follow to respect user data and comply with global privacy laws.
Adoption of innovative technologies and varied storage solution has caused data sprawling. Data sprawl refers to the staggering amount and variety of data produced by businesses every day. This is largely due to the variety of enterprise software, mobile apps, storage systems, and data formats every company relies on.
Hence, cybersecurity experts have shifted their focus on data minimization as an aftermath of high-profile data breaches of Australia’s Optus, Medibank, and others. In today’s data-driven economy, enterprises struggle to reduce attack surface where sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or altered by unauthorized personnel.
Yet, while data is vital for businesses, it also presents new challenges.
Ungoverned large data volumes present complex challenges such as vulnerability to breaches, high costs, and poor data quality. Data breaches can also lead to other adverse impacts like non-compliance, reputational damage, ransom, fraud, and hefty penalties.
To remain competitive and for the best return on investment (ROI) on data-centric services, enterprises need a strong data minimization strategy.
Data minimization is the principle of restricting the collection, storage, and processing of personal data to the bare minimum as per requirement. The aim is to reduce the risk of harm to individuals from data breaches or unauthorized access to their personal information. Further, data minimization reduces operating costs, improves efficiency, and minimizes risks associated with data collection, storage, and processing.
In India, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 governs data minimization. The rules state that data controllers must limit the collection, storage, and use of sensitive personal information that is necessary. However, enterprises face the dilemma of balancing minimization while staying competitive in their business.
The following common best practices should be followed to build data minimization strategy in your enterprise landscape:
Data Discovery provides basic capabilities for discovering data residing across all despaired systems on-premises and cloud. It is often used to understand trends and patterns in the data. It helps in classifying, and labeling structure and unstructured data. It sets the stage for regular data assessment.
Periodic review of data collection, storage, process, and disposal
Enterprises must review the data they collect, store, and process regularly to ensure that it is still needed for the original intended purpose and, if not, they must dispose the data.
Driven by AI, robotics, 5G, and the advancement of sensor technology, businesses will witness the rapid development of new applications such as smart cities and Industry 4.0, which collect and use more sensitive data, such as individuals’ live tracking location details for better transportation, healthcare, and finance. Importantly, upcoming technologies such as Metaverse and Web3.0 do not pose a direct privacy danger.
Adhere to the data minimization guidelines prescribed by data regulatory laws
Many global privacy regulations, including the GDPR (General Data Protection Regulation) that went into effect in May 2018, require organizations to implement strong data minimization controls when collecting and processing data, to comply with the GDPR purpose limitation principle.
The GDPR also requires organizations to review the personal data they have collected regularly and to delete or anonymize any data that is no longer required.
To reduce the risk of information being exposed to cyber-attacks, therefore, organizations holding personal information should identify how long they need to keep the information to fulfill the purpose for which it was collected and to keep it only for a duration required to achieve that purpose. The longer the data is kept, the more vulnerable it is to cyber-attacks.
Invest in technology and processes that support data minimization
Enterprises will also need to invest in technical and organizational measures to reduce and securely dispose of personal data. They need to design and build technologies to share data within and across organizational boundaries. Privacy-preserving technologies such as differential privacy, multi-party computing, and homomorphic encryption can be part of the enterprise ecosystem.
Still, despite best efforts, a breach can occur and hold an enterprise to ransom or cause losses, so cyber insurance that covers data breach notification, credit monitoring, and legal fees must be part of the cybersecurity strategy.
The coverage could also include liability for unauthorized access to sensitive information, business interruption coverage to compensate for lost income, loss of funds coverage for unauthorized transfers from a company’s bank account, and cost of investigation coverage to assist with breach investigation costs.
IDC predicts a 10x increase in data volumes. In just a decade by 2025, global data volume would be around 175 Zetta Bytes. This data will unleash new possibilities, user experiences, and economic prospects. This datasphere also exposes sensitive information to new vulnerabilities, mandating the adoption of data minimization principles along with best-in-class privacy technology and data governance.