At a recent annual meeting of The Sedona Conference Working Group on Data Security and Privacy Liability, one key theme seemed to be on everyone's mind. During the sessions, which covered breach notification laws, litigation and other current issues impacting data privacy and security, the topic of data minimization came up again and again. While the practice of data minimization isn't exactly new, we're now seeing it resonate and discussed at the forefront of the legal industry for the first time.

The reason is that companies have never faced greater risk with respect to their data than they do today. The landscape is only growing more challenging and complex. Across the globe, stringent data protection laws have emerged, and several U.S. states are implementing legislation to introduce new regulations for how governments and businesses are permitted to handle personal data. Multinational corporations must navigate compliance requirements for the General Data Protection Regulation, China's Information Security Technology–Personal Information Security Specification and Cybersecurity Law, Brazil's General Data Privacy Law, the California Consumer Privacy Act, U.S. state-based breach notification laws and dozens of others.

The vector of risks introduced by data privacy laws grows exponentially when combined with cybersecurity threats, insider threats and potential theft of intellectual property and trade secrets. Since it's clear that the waters of data risk are going to be rough for the foreseeable future, corporations must start acting now to take steps that will narrow the scope of information they store. Data minimization is a critical strategy in that effort.

Data Past, Present and Future

Traditionally, many companies have taken a "save everything" approach. Often, simply because the company hasn't thought through its data retention needs. Others avoid deleting data out of a belief that saving everything can bolster big data insights and provide value, a lack of understanding about the risks or due to worry over spoliation.

With information technology's migration to the cloud, patterns in the "save everything" mentality have started to shift in recent years. Many organizations completed a healthy reduction of their overall data universe when they migrated. But as cloud reliance has grown, and new tools such as Slack and other collaboration platforms are adopted, data volumes are growing again at a rapid rate. These new data sources bring yet another element of risk. Within three to five years, organizations without a proactive data retention and deletion program are going to have an even larger problem on their hands than they did before cloud migration, with massive amounts of data resting across numerous third-party sources.

Minimize the Data, Minimize the Risk

Simply put, the greater the data footprint, the greater the risk. Some circumstances may justify data redundancy such as adequate backups or data that must be retained for regulatory or legal-hold ­purposes. As a best practice, anything outside of that scope—extra copies, legacy files and trivial information that is irrelevant to legal, compliance and business needs—should be minimized. Our teams have led extensive data breach response work, and time and again have encountered vastness of old and unnecessary data, including files with highly detailed personally identifiable information (PII), that continues to live on corporate email stores and computers. In many cases, legal teams are simply unaware that this data exists, and then are left scrambling to deal with the repercussions when a breach, privacy law violation, or litigation event occurs.

Counsel must recognize the important role data minimization efforts play in addressing risk. Below are steps legal teams can take to implement a data ­minimization plan and maintain a reasonable retention and deletion policy long term.

Understand your data: Organizations need to understand what data they have, where it lives and how it is protected. This is particularly critical for personally identifiable and personal health information (PHI) as well as IP and trade secret information. Counsel can work with outside digital forensic experts to conduct a data mining and forensic analysis exercise on the corporate data universe to locate all PII, PHI and other sensitive information. This insight will inform a data inventory and heat map that shows sources containing sensitive information and exceeding reasonable retention requirements, allowing informed and defensible deletion.

Collaborate with information security: Data breaches, cybersecurity incidents and data protection authority inquiries inevitably lead to investigations. In many cases, these investigations reveal gaps in IT and security practices and access control. Legal must partner closely with information security teams to narrow down the scope of individuals who have access to view, transfer, change or delete critical information.

Set up a retention schedule: Once the scope of data has been reduced across corporate information stores, a retention schedule should be implemented and automated to ensure data volumes don't get out of control again. ­Strategic conversations across key stakeholders should take place to determine what the organization does and does not need to keep and for how long, taking into account any statutory legal and regulatory obligations.

Balance minimization and analytics needs: The advent of GDPR introduced a new tension between requirements to keep only what is reasonably necessary, and the need to feed big data into AI and analytics tools. Counsel can work with executive leadership to determine the organization's risk tolerance level, which will guide where decisions about data use and storage fall on the spectrum between high risk and conservative. Minimization efforts can follow suit. Even for the few organizations that aren't impacted by data privacy laws, the broader matrix of cybersecurity, trade secret and litigation risk is enough to warrant data minimization as a priority. It may seem like an insurmountable task, but with the right experts guiding the process, counsel can get data volumes under control and ensure legacy and redundant data do not create problems for the organization now or in the future.

Sheryl Falk is a partner and co-leader of Winston & Strawn's Global Privacy and Data Security Task Force. Steve McNew is a senior managing director within the technology practice of FTI Consulting and is based in Houston. Daniel Roffman is a senior managing director at FTI Consulting in the computer forensics practice of the technology segment.