A mountain of personal data might be appetizing to some organizations, but other companies see that same trove as a security and regulatory risk. In turn, many organizations are proactively implementing data minimization policies, according to the "Big Data is Dead! Yet 'Small' Data Isn't Ready for Primetime" survey, sponsored by the Coalition of Technology Resources for Lawyers (CTRL) in partnership with Osterman Research and Relativity. 

More than half (58%) of the 19 North American organizations surveyed said they have a corporate mandate to minimize the retention of personal data. Still, "data minimization" can mean different things to different companies.  

Most respondents (70%) defined such efforts as "stopping the collection of data that isn't necessary to the fulfillment of specific business objectives," while 64% also said the process included stopping the retention of data that isn't being used by the organization for legitimate business purposes. In addition, around half (51%) said such efforts meant "deleting redundant, obsolete or trivial data."

Differing definitions aside, the survey found corporate information governance best practices as the top factor (61%) driving organizations' personal data minimization policy. Tied for a distant second was the General Data Protection Regulation and storage costs (35% each), followed by IT or business process complexities (33%) and the California Consumer Privacy Act (28%).

CTRL founder and executive director Dean Gonsowski said he views corporate information governance as a broader umbrella that includes regulatory guidance, but nonetheless companies are understanding their heightened risk when retaining personal data.

"Just the exposure you have to maintaining and retaining data that you don't need to have is a big issue, and there are different ways to [retain data] if you are responding to GDPR, CCPA or information governance. [But] I don't know if it really matters because there's real penalties to retaining too much data."

Outside of regulators' penalties and fines, a data breach of a company storing extensive personal data could lead to expensive civil suits and reputational harms.

"Because they have seen the economic and reputational damages these data breaches cause, I think if there has been one driving force behind minimization retention, it is the fear of the data breach," added Relativity discovery counsel and legal education director David Horrigan.

When a data minimization policy is issued, it's usually done so by the IT department, but that practice may create substantial legal risks if other departments are not included in the process.

"Security, compliance and legal really need to take ownership of this," said CTRL director of legal education and resources Philip Favro. "They are the drivers of data minimization, and IT implements the vision security, compliance and legal created."

Over half (56%) said they deployed technology to enforce their data minimization policies, which limits the collection, storage and processing of personal data. Most conducted periodic cleanup initiatives (76%), while over half (58%) leverage records management systems and 43% use structured database with expiration features.

In contrast, only 6% of respondents said they use ephemeral messaging for communications when enforcing data minimization. Excluding industries where regulators require keeping communication records, Favro said ephemeral messaging could address data minimization and privacy issues, but he noted the hesitancy toward ephemeral technology is part of a larger spoliation concern.

In fact, 83% of respondents said they were concerned that minimizing data could lead to more spoliation exposure—a warranted concern, Favro acknowledged.

While organizations ponder ephemeral messaging's benefits, most are struggling to tackle their unstructured data. Nearly 90% said they have a comprehensive data inventory for their structured data, yet only 15% said their unstructured data was similarly inventoried.

"Unstructured data is hard to get a handle on, and that's why people struggle with it," Horrigan said. He explained an organization may not know what data they have, what platforms house it or how to access it.