Why data minimization could be the next challenging task for enterprise IT?
After a host of privacy regulation globally—such as European GDPR and UK Data Protection law—India is all set to enact its own privacy regulation. The Personal Data Protection Bill, after a lot of public debate and modifications, is all set to be introduced in this session of the parliament.
Once the regime sets in, organizations—especially those dealing with a lot of consumer data—will have to comply with the regulation. In industries such as banking, insurance and telecom, there are some basic safeguards that are already in place, because of either strategic reasons or sectoral regulation or both. In many industries such as retail—one of the most common targets of attackers—consumer goods, online services and media, while there is a lot of consumer data, there is no strategic or regulatory imperative today to guard the data today, but post the Act, it will become mandatory. In India, unlike in Europe, the rules are a bit relaxed for government entities. Yet, when it comes to private enterprises, they are as stringent as anywhere else in the world.
Companies—even though they are yet to fully comprehend what that could mean—are beginning to wake up to new reality. Vendors are talking to them about how to ‘protect the personal data that they collect’, and are expecting to make a fortune.
Beyond securing data
With the new regime setting in, organizations will be under pressure to comply with the new regulations. Managing personal data collected from individuals will be one of the most important yet difficult tasks before organizations.
But despite growing awareness and sensitivity around the issue, most organizations equate managing personal data with ‘securing’ that data—thanks partially to the high-pitch marketing done by security vendors.
In reality, though, a more pragmatic approach would be to retail, better still collect, only the data that the organization absolutely requires for the business, rather than just collecting data mindlessly.
Data minimization—retaining only data that is essential for a business purpose and in compliance with various regulations, legal directives, and best practices—is increasingly becoming a preferred approach in developed markets, exposed to privacy laws in different forms for some time.
To understand how organizations look at data minimization, Coalition of Technology Resources for Lawyers (CTRL), a California, US-based education and research group, focused on advancing discussion of technology and analytics for law, in association with Osterman Research, conducted a survey, results of which were published recently.
While it was conducted among US organizations, it helps understand the issues and challenges.
Presented are some of the findings. They could be the basis for organizations probing where they stand.
For Indian organization, they can start the data minimization efforts even before the regulations set in. They have the learning from the rest of the world.
What is data minimization?
Data minimization still means different things to different people. For some, it is minimization of collection; for others, minimization of retention. For others still, it is just deleting data that is old or irrelevant. The meaning that an organization attaches to data minimization could be derived from the reason why it is wanting to do so.
So, what are the drivers?
In India, privacy is not really an important consideration for the individuals. So, there is very little stated privacy statement. It is only the regulation that will make many go for protecting privacy of the individuals. In the US, where the research was conducted, corporate governance—that is proactive privacy—is the top driver of data minimization initiatives. While GDPR has come as a big driver, storage costs has also emerged as one of the top three drivers.
Whose responsibility is it, anyway?
Well, the buck always stops at…you know who. When asked who was leading their data minimization efforts, three out of four organizations said it their IT department. Almost six out of ten said it is security. Despite the big stakes and sensitization of all senior management, the effort is left to the techies, simply because few others understand the nuances.
Do you think it will be any different in India?
Do they know what data they have got?
Well, you are the master of your structured data, most of which is planned data. Less than half the organizations have an inventory of their semi-structured data and organizations do not have a clue of their unstructured data. In most data protection regulations, including in the draft regulation of India’s own, data erasure or right to be forgotten is a major requirement. If you do not know what you have, how can you ensure that you can get rid of that.