Data minimization can be a powerful – and seemingly simple – data security measure. The term refers to retaining the least amount of personal information that is necessary in order for an organization to function. Less information means that there is less that the organization needs to protect, and less opportunity for information to be lost or stolen.

In practice data minimization requires organizations to fully understand where they collect information, why they collect information, and where it is stored.  It  also requires difficult decisions regarding what information the organization will likely need in the future from a business perspective, and what impact having limited consumer or employee records may have on potential legal disputes if they arise. For example, an organization that chooses to implement a 30 day or 60 day automatic “roll off” policy for employees’ may not be able to identify email exchanges between an employee and a vendor that relate to a contract dispute which arises months later.

Click here to view the table.

“The indiscriminate collection of data violates the First Commandment of data hygiene:  Thou shall not collect and hold onto personal information unnecessary to an identified purpose.  Keeping data on the off-chance that it might prove useful is not consistent with privacy best practices.”

- Federal Trade Commission Chairwoman Edith Ramirez**