Data Minimization for CPRA & GDPR (What You Must Know)
The total number of data breaches more than tripled in 9 years from 2013 to 2022, according to research conducted by MIT. What’s worse is that this is only increasing.
To combat the increase in data breaches, many data privacy laws have adopted data minimization principles. While the GDPR has outlined data minimization principles for years, the CPRA (California Privacy Rights Act) has recently implemented similar principles to protect consumer data.
But what exactly do the CPRA and GDPR say about data minimization? In this article, we’ll cover data minimization principles under these regulations, why they are beneficial, and how to implement them in your business.
What is Data Minimization?
The name makes it clear- data minimization is about reducing the amount of data your business collects. It’s about only collecting that’s necessary for a certain business function or service for which a consumer has given their consent.
Both the GDPR and CPRA have clearly defined data minimization, in terms of data discovery and collection as well as data usage and retention.
Article 5 of the GDPR defines data minimization as “adequate, relevant, and limited to what is necessary for relation to the purposes for which (it is) processed.”
While the GDPR doesn’t go into depth on the time limit for data storage or how to measure what’s “necessary”, the definition lays a solid foundation for data minimization in any industry.
The CPRA provides a similar definition and describes data minimization as “reasonably necessary and proportionate” to the purpose for which it was collected under section 1798.100(c). The CPRA also states that businesses should not store data “for longer than is reasonably necessary.”
Businesses that aren’t compliant with these guidelines will face bigger penalties in case of a data breach, especially if the breach was caused by unnecessary data storage.
Benefits of Data Minimization
Data minimization is a regulatory requirement under the CPRA and GDPR, but it should still be a priority even if your business doesn't fall under these regulations. Data minimization principles protect personal data and sensitive data, including sensitive business information.
It’s also an effective risk management strategy and can help streamline certain business processes.
Some benefits of data minimization include:
Lower Risk of Data Breaches
The concept of minimizing data collection and storage is simple- the less data your business collects, the lower the risk of a data breach. Smaller data inventories are easier to protect, and you’ll have less sensitive information to worry about.
Compliance With Data Regulations
The GDPR has listed data minimization as one of its core principles, and other regulations are following suit. Considering the average penalties for data breaches are increasing yearly, it makes financial sense to implement a system that limits data collection in your business.
You’ll also need to follow industry-specific regulations that cover data minimization principles. For example, HIPAA requires businesses in the health industry to limit access to Personal Health Information (PHI).
Better Security and Trust Ratings
Not all corporate compliance requirements apply to businesses on a state level. Industry-specific data compliance requirements also include detailed data minimization. Having the right data collection and storage system can get you better ratings with industry-specific organizations.
For example, the PCI DSS applies to businesses that store and process cardholder data. It covers minimizing data collection, log access restrictions, and limiting data retention. Requirement 3 states that businesses should store cardholder data only when absolutely necessary, and those that fail to follow the requirements could lose their security ratings.
Business Process Agility
Having less data to store also provides a key advantage in ensuring business process agility. Having a smaller data inventory, means that the data discovery process is more streamlined. Similarly, data mapping becomes easier and you’ll be in a better position to follow consumer privacy laws.
Storing less data also means a lower cost for data retention and fewer storage points.
Is Data Minimization a Regulatory Requirement?
If you fall under the GDPR, CPRA or industry regulations like HIPAA, your business will be legally required to practice data minimization. Most other data privacy laws mention this principle, but the GDPR and CPRA cover it in detail.
These laws cover all aspects of data collection, including:
- How data is collectedthe GDPR and CPRA require businesses to only collect consumer data for the purpose which it’s needed.
- How data is storedMost regulations also require businesses to store data when absolutely necessary.
- The duration of data storage- The CPRA specifically requires businesses to delete consumer data and sensitive information once it’s no longer needed.
Other security regulations, such as the PCI DSS for payment card data, and HIPAA for health data, also require a level of data minimization.
How to Implement Data Minimization for CPRA & GDPR
The CPRA and GDPR lay out principles for data minimization, but you’ll need to understand the requirements of each regulation to have an effective data minimization strategy. Let’s explore how to implement data minimization under both regulations, regardless of your business or industry.
Implementing Data Minimization for GDPR
The GDPR is the most comprehensive data regulation with regards to data minimization requirements. 3 of the 6 GDPR principles cover some form of data minimization, and penalties for non-compliance are strict.
While there are several clauses covering data minimization, we can break them down into 2 main areas:
1. Data Collection
You should only collect data that are “necessary, adequate, and relevant” for a specific purpose. For example, if you’re collecting data for a survey, there’s no need to collect date of birth, gender, or other personal data unless it’s absolutely necessary.
Sometimes, businesses collect data that’s necessary, but not in an “adequate” quantity. Let’s take the same example of a business survey. If your survey requirements were 50 responses and your business collected 70, that would be inadequate, even if the data fields are necessary.
Lastly, businesses should collect “relevant” data. This means the data should be “compatible” with the purpose for which it was originally collected.
The GDPR also requires you to explicitly state the purpose and type of data you’re collecting before consumers provide consent. Even then, there are limitations that the purpose of data collection should be legitimate and “compatible with further purposes.”
2. Data Storage
While the GDPR covers data collection in detail, it also requires businesses to minimize their data storage processes. The general principle is that you shouldn’t store data for longer than required.
While there’s no specific time limit on data storage under the GDPR, here are a few points to consider:
- A subscription-based service may retain a consumer's name, email, and other details for the period of the subscription. However, storing this data after a consumer unsubscribe is excessive.
- Data should be anonymized where necessary after it’s collected. This is an important part of PII compliance.
- Regularly do compliance audits to identify consumers’ personal information of which your business may not be aware.
In most cases, it’s up to the business to decide storage limitations, but always ensure they follow basic data minimization principles.
Implementing Data Minimization for CPRA
The CPRA is an upgraded version of the CCPA, and one notable difference is that it requires businesses to follow data minimization principles. Most of the concepts on minimizing data collection and storage are the same as with the GDPR, with a few exceptions.
Let’s explore how to implement data minimization as per the CPRA in detail:
- Data Collection
The CPRA requires that data collection should be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed”. It also allows businesses to collect data “for another disclosed purpose that is compatible with the context in which the personal information was collected”.
This allows businesses to collect data for purposes that are “compatible” with the original purpose (as with the GDPR). However, the key is to get consent from consumers when using their personal information for these purposes.
- Data Storage
Like with the GDPR, you’ll need to have storage limitations for CPRA compliance. Although the CPRA doesn’t define the maximum time you can store personal data for, it does provide guidelines for data storage.
Under the CPRA, you are required to:
- Inform consumers of the data retention period. OR…
- Inform consumers of what criteria your business uses to determine the data retention period.
The rest of the data storage provisions are the same as for the GDPR, and based on the principles of collecting and storing data that’s “necessary, adequate and relevant”.
FAQs
What Does the CPRA Say About Data Minimization?
The CPRA requires businesses to follow data minimization best practices, which includes collecting data with consent and only for the purpose of which consent was given. It discourages unnecessary data collection and retention.
Want to know if the CPRA applies to your business? Read our CPRA guide.
What Happens if a Business Doesn't Follow Data Minimization Principles?
Businesses that are not compliant with the data minimization regulations of the GDPR, CPRA, HIPAA and other regulations can face hefty fines. Non-compliance can also harm your businesses public image.
Read this article for more information about GDPR compliance.
What Type of Data Should You Minimize Collection and Storage Of?
Compliance regulations require businesses to minimize collection and storage of personally identifiable information and other sensitive data. This could also include business data and third-party data.
Learn more about third-party compliance in this article.
What are the Three Main Points of Data Minimization?
The main parts of data minimization under the GDPR and CPRA are necessity, relevancy, and adequateness. Your data collection process should cover all three parts to be compliant with these regulations.
Need help with data compliance? Contact Captain Compliance!
How Can Captain Compliance Help You?
Now that the importance of data minimization is clear, you’ll need to identify the type of data your business collects and the storage process. This requires a data audit.
At Captain Compliance, we help businesses with data compliance by providing data compliance audits. Our compliance specialists will help your business align its data minimization strategy for regulatory compliance.
Book your free consultation today to learn how you can become compliant!