Data Minimization and Doing Business
Today information is being collected, stored and transferred at an increasing rate. In some cases that data is among a business’ most valued and treasured assets. However, with the explosion in the use of technology to expand one’s online presence, this opens the door for new issues and challenges for businesses in the area of data privacy and data protection.
Data Minimization in Principle
Data minimization is the practice of minimizing the overall amount of personal data collected. It requires a data controller to limit the collection of personal data to what is relevant and necessary for the purpose it is being processed and retained for only as long as is necessary to achieve that purpose.
Data minimization is also a data protection standard and is included in the Data Protection Act of Jamaica. Section 26 of the Data Protection Act requires that personal data shall be adequate, relevant and limited to what is necessary for the purposes for which they are processed. As a result, data controllers in Jamaica have a duty, pursuant to the Data Protection Act, to comply with this principle.
–But how exactly does one practice data minimization?
Data Minimization in Practice
It may be it a challenge for businesses to integrate data minimization into practice where their business is data analytics or where it heavily relies on the information produced by data analytics such as market trends and consumer preferences. The benefit of the information to be gained from data is undeniable, however, if not processed in accordance with relevant data protection legislation, it has the potential to pose challenges for data controllers.
Adequate, Relevant, Limited
The three key elements of data minimization are ensuring the personal data is adequate, relevant and limited to what is necessary for the purposes for which they are processed.
Adequate, relevant and limited are not defined by the Data Protection Act of Jamaica or other similarly drafted data protection legislation. Notwithstanding, the UK Data Commissioner indicates that:
- Adequate means sufficient to properly fulfill your stated purposes
Relevant means has a ration link to that purpose
Limited to what is necessary means you do not hold more than what you need for that purpose.
Data controllers should assess the purpose for processing and determine what data is necessary for that specific purpose. In practice, a helpful tool to achieve this is to conduct periodic evaluations of the data, the purpose for processing and relevant policies and systems implemented. This will assist data controllers in ensuring the data is adequate, relevant and limited and highlight appropriate retention periods. Taking the ‘save everything’ approach is not best practice.
An interesting area that the relevance of data comes into play is the employee-employer relationship. When an business is collecting data on current or potential employees, it is important that the data collected is necessary and relevant for the position. For example, for the employer to adhere to their statutory responsibilities they require data to carry out the payment of income tax, PAYE, NIS and NHT obligations. In this area, periodic evaluations of the data should be done at hiring, promotion, demotion and even firing to aid in the determination of any adjustment, deletion or anonymization of the data being processed.
The time in which data is retained is not only an element of data minimization, but is a separate principle in itself. Record keeping is an important part of every business and the appropriate retention time will vary across businesses and industries. For instance, Financial Institutions and Designated Non-Financial Institutions are required by statute to retain records for seven years for anti-money laundering and counter terrorism purposes. As a result, to hold customer’s records for a period beyond seven years, unless instructed otherwise by the relevant regulator or some other compelling business reason or court order, may not be considered compliant with data minimization.
In 2018, the Danish Data Protection Authority fined Taxa 4×35, a taxi company for approximately USD$180,000.00 for retaining personal data of passengers from approximately nine million taxi rides beyond the statutorily required two-year period. While Taxa erased the name and address of each customer within the prescribed retention period, the phone number was retained and used as an account number. Taxa themselves admitted that the retention of the phone number was not necessary as an anonymized number could have been used.
Benefits of Data Minimization
In approaching the concept of data minimization, data controllers should keep in mind the benefits which include:
Reduction in cost on data retention and storage
Reduction in the likelihood of a breachreduction in the number of records that may be affected in the event of a breach
Compliance with relevant data protection legislation resulting in efficiency,
Improved customer experience
Improved risk management
- Reduced likelihood of breaches resulting in finesimproved data management
- Faster responses to data requests; and improved customer trust.
When assessing the need for data minimization, businesses should also consider the reputational risks of data breaches and potential loss of consumer confidence. A study done in 2020 by Braze, a US customer engagement platform, indicates that 84% of customers decided against engaging with a company who requested ‘too much information’.
All in all, in the realm of data minimization, less can certainly be more. Data controllers can gain more in compliance, cost saving, reputation and trust by ensuring the data being processed is adequate, relevant and limited. Data controllers should keep in mind that while data is easy to collect, there are responsibilities that come with its collection to ensure compliance with the laws and a need to have controls in place to ensure the proper use of that data. This is especially relevant now, with specific provisions of the Data Protection Act having come into force on December 1, 2021 as the two-year transitional period afforded by the Act has begun to run, making principles like data minimization more important than ever. Preparing your business for compliance with the Data Protection Act is a new area but with proper advice and awareness you will be able to prepare to meet the challenge. If you are unsure, you should seek the advice of a competent attorney.
Joanna Marzouca is an Associate in Myers, Fletcher & Gordon’s Commercial Department. She may be contacted via firstname.lastname@example.org or www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.