Data Minimisation: The key to managing the impact of a breach

Understanding what data minimisation is, what your obligations are, and what policy, process, and technology approaches you can take to achieve compliance and success is important, but it does not have to be complicated. As an information governance professional you play a key role in strengthening your organisation’s cyber security. Discover what data minimisation is and why it is critical in being proactive to manage the impact of a breach.

The frequency of data breaches is on the rise, with hackers going after treasure troves of sensitive and high value data in corporate networks. At the same time, the volume of such data collected and stored within organisations’ environments is increasing at unprecedented rates, usually without a robust data minimisation strategy in place. Australian company MediSecure recently fell victim to a major data breach, with customers’ personal and health information impacted. Around the same time, Ticketmaster also suffered a breach of its data stores, alleged to contain PII and partial payment details of up to 560 million customers. 

While unconfirmed at this stage, it’s likely that much of this information should have already been disposed of, and so not exposed in these latest events. That’s the case with most data breaches – organisations hold onto swathes of data, well past its ‘use by’ date, which inevitably ends up in the hands of hackers to use to demand ransom or sell on the dark web.

Are we focusing on the wrong thing?

Why does this keep happening? The main issues is that cybersecurity efforts typically have a strong focus on reducing the likelihood of a breach, as opposed to managing its impact. Gartner forecasts that organisations are increasing their spend in billions of dollars on security and risk management products in 2024 with much of this focused on preventative measures. But it’s impossible to reduce the likelihood of having a breach to zero, no matter how much you spend on perimeter security.

Data breaches are really a question of ‘when’, not ‘if. With data volumes increasing exponentially, it is critical that robust cybersecurity measures are balanced against ethical and practical data management, to reduce the impact of an inevitable breach. And laws are changing to mandate this shift in focus not only to protect people, but also in the interest of national security.

Creating an impenetrable system is unrealistic, as bad actors will always be a step ahead, and there will always be new zero-day vulnerabilities, misconfigurations, human error, or trusted insiders that can cause a data spill.

That means organisations need to not only continue to reinforce their walls, but also reduce the damage that can be done when those walls are inevitably breached. This is where data minimisation becomes essential.

So, what does data minimisation really mean?

Data minimisation involves avoiding the collection of unnecessary personal details, duplicate data, excessive backups, or offline copies, and only collecting what is needed. It also means limiting the number of people with access to the data, their privileges, and the duration of their access. Finally, effective data minimisation requires robust policies and governance around records management and retention.

The purpose is to make sure that when there is a breach or spill, its as small as it possibly can be.

For many years, companies have tended to stockpile information for various purposes – to improve corporate decision making, create accountability, and personalise experiences for their stakeholders, to name a few. But by reducing the amount of data in the network, companies minimise what information stands to be stolen, and ultimately discourage attempts to access systems. Less data equals less incentive for bad actors, which is why organisations who don’t have a good data disposal process are at much higher risk of compromise.

The other benefits

Data minimisation isn’t just about fulfilling legal obligations, such as reporting to national privacy frameworks or meeting the requirements of GDPR or the Consumer Data Right. Effective data minimisation requires comprehensive information asset management – knowing your data, who and what topics are in it, and the retention and confidentiality rules that apply to it. Establishing this type of enterprise governance helps to reduce the potential harm of a breach, and is also a crucial mechanism to enable faster response and recovery – quickly determining which parties are affected, and having the ability to alert those parties that their information is compromised.

Having effective governance in place also helps with risk transfer. Organisations holding sensitive amounts of information for extended periods of time, and who don’t have robust disposal processes and systems, typically face higher cyber insurance costs. These organisations may also be less likely to be paid out by their insurer despite having taken other cybersecurity measures, as they are deemed not to have taken adequate measures to establish granular visibility into the information in their custodianship. Having a retention policy applied to all personal data is the best way to improve your insurability.

Technology approaches to data minimisation

Given the complexity and volume of data we hold, technology plays a pivotal role in identifying valuable and sensitive content. AI and automated decision-making tools enable autoclassification of all data, and the management of associated risks.

But it is crucial to keep humans in the loop. To mitigate risks such as AI bias or malicious use, AI-assisted processes must be explainable and transparent. This transparency allows decisions to be challenged by humans, protecting vulnerable communities from potential harm. All artificial intelligence and automated decision making systems used for regulatory purposes like privacy and retention must be Ethical AI under new EU laws, and to align with international best practices.   In an era where data breaches are a persistent threat, data minimisation is fundamental to reduce impact. By limiting the amount of data retained – and knowing when to responsibly dispose of it – organisations can protect themselves and their stakeholders, ensuring inevitable breaches do not result in catastrophic damage.

The Essential Guide to Data Minimisation Best Practices

To address the criticality of information governance, and the growing challenges of managing data at scale, AI has entered the fray over the last five years, to automatically classify records against risk and retention rules with the aim of minimising personal and sensitive data holdings. But there are pitfalls to be aware of when considering AI for privacy and other data classification, not least of which relate to new legislation for Ethical AI. This guide provides a summary of the requirements for data lifecycle management, the technology approaches, and the risks.

It also provides access to a Data Minimisation Best Practice Checklist to help you design, maintain and implement these best practices. Download the checklist via the link or QR code on the guide.

Click below to access the complete guide with link to the data minimisation best practices checklist

Get Instant Access To the Guide and Checklist