Big Data Creates Big Problems: Organizations Mandating Data Minimization Efforts
Corporate information governance best practices—and not government regulations—are the main factors pushing companies toward data minimization policies, according to a new survey.
November 11, 2019 at 11:30 AM
4 minute read
A mountain of personal data might be appetizing to some organizations, but other companies see that same trove as a security and regulatory risk. In turn, many organizations are proactively implementing data minimization policies, according to the "Big Data is Dead! Yet 'Small' Data Isn't Ready for Primetime" survey, sponsored by the Coalition of Technology Resources for Lawyers (CTRL) in partnership with Osterman Research and Relativity.
More than half (58%) of the 19 North American organizations surveyed said they have a corporate mandate to minimize the retention of personal data. Still, "data minimization" can mean different things to different companies.
Most respondents (70%) defined such efforts as "stopping the collection of data that isn't necessary to the fulfillment of specific business objectives," while 64% also said the process included stopping the retention of data that isn't being used by the organization for legitimate business purposes. In addition, around half (51%) said such efforts meant "deleting redundant, obsolete or trivial data."
Differing definitions aside, the survey found corporate information governance best practices as the top factor (61%) driving organizations' personal data minimization policy. Tied for a distant second was the General Data Protection Regulation and storage costs (35% each), followed by IT or business process complexities (33%) and the California Consumer Privacy Act (28%).
CTRL founder and executive director Dean Gonsowski said he views corporate information governance as a broader umbrella that includes regulatory guidance, but nonetheless companies are understanding their heightened risk when retaining personal data.
"Just the exposure you have to maintaining and retaining data that you don't need to have is a big issue, and there are different ways to [retain data] if you are responding to GDPR, CCPA or information governance. [But] I don't know if it really matters because there's real penalties to retaining too much data."
Outside of regulators' penalties and fines, a data breach of a company storing extensive personal data could lead to expensive civil suits and reputational harms.
"Because they have seen the economic and reputational damages these data breaches cause, I think if there has been one driving force behind minimization retention, it is the fear of the data breach," added Relativity discovery counsel and legal education director David Horrigan.
When a data minimization policy is issued, it's usually done so by the IT department, but that practice may create substantial legal risks if other departments are not included in the process.
"Security, compliance and legal really need to take ownership of this," said CTRL director of legal education and resources Philip Favro. "They are the drivers of data minimization, and IT implements the vision security, compliance and legal created."
Over half (56%) said they deployed technology to enforce their data minimization policies, which limits the collection, storage and processing of personal data. Most conducted periodic cleanup initiatives (76%), while over half (58%) leverage records management systems and 43% use structured database with expiration features.
In contrast, only 6% of respondents said they use ephemeral messaging for communications when enforcing data minimization. Excluding industries where regulators require keeping communication records, Favro said ephemeral messaging could address data minimization and privacy issues, but he noted the hesitancy toward ephemeral technology is part of a larger spoliation concern.
In fact, 83% of respondents said they were concerned that minimizing data could lead to more spoliation exposure—a warranted concern, Favro acknowledged.
While organizations ponder ephemeral messaging's benefits, most are struggling to tackle their unstructured data. Nearly 90% said they have a comprehensive data inventory for their structured data, yet only 15% said their unstructured data was similarly inventoried.
"Unstructured data is hard to get a handle on, and that's why people struggle with it," Horrigan said. He explained an organization may not know what data they have, what platforms house it or how to access it.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250