Businesses are greedy for data. And becoming hungrier with the emergence of AI tools that work more effectively when mining vast data sets.
Give an AI system data about my Amazon activity from the past 6 months and it might deduce from the plethora of chew toys, training treats and outdoor wear I’ve ordered that I recently adopted a very active dog. This is both true and moderately useful. Feed it shopping data from the past 6 years and it will be able to predict a whole bunch of things - from how my disposable income has changed to where and when I like to holiday and all manner of health and fitness insights.
Having lots of data about people is useful, perhaps. But who does this serve best?
Recent activity and statements suggest that regulators don’t think it’s in consumers’ interests. In their view, businesses are overstepping the mark when it comes to collecting and retaining personal data, and they’re more ready than ever to take action.
Minimise your data. Or else…
The GDPR and CCPA, two well-known data privacy regulations, make clear that personal data collection and storage should be proportional to need. This is the principle known as data minimisation - businesses should only request and store personal data that is directly related to or required to fulfil a specific service.
The data minimisation principle is why you should only collect a few bits of data from someone when they sign up for a newsletter but it’s okay to ask for more when helping them choose a pension plan.
Furthermore, regulations require that data be retained only for as long as is necessary to fulfil that initial purpose. No longer sending that newsletter? Customer found their pension? Delete data that is stored for that purpose alone.
Regulator concerns are twofold. Both the GDPR and CCPA explicitly contraindicate excessive data collection. This is because, secondly, consumers are put at greater risk when granular data about them is involved in a breach.
In the EU and US, regulators are taking action when data minimisation principles are flouted. Both new and updated regulations in the US and worldwide all bring minimisation to the fore.
It might be tempting to perceive this renewed focus on minimisation as another instance of regulation constraining innovation. Surely we need to feed those hungry young AI’s if we want them to grow up big and strong?
To a certain extent, AI provides a compelling case for more being better than less, which makes navigating the dual need for lots of data and minimisation a challenge. However, as in other areas of data compliance, there are opportunities to use data minimisation as a data governance principle that actually creates value through reduced storage costs, reduced risk, improved trust and improved data use. Bringing these opportunities to life is what’s got the RegTech sector interested - it’s a critical use case.
Data minimisation is not just about avoiding fines
Companies spend big on storage. Research suggests that almost half of a typical business’s tech spend is on cloud-based data storage, with businesses spending more on data than they expected to and with costs substantially increasing year on year.
Data minimisation reduces storage spend by restricting what data is stored and ensuring it’s not stored for longer than needed.
Simplifying the data you store is also a good basis for ensuring it’s clean, fit for purpose and standardised. Messy data with inconsistent formats is the bain of effective data usage. Ask any beleaguered data scientist. They will tell you that the biggest proportion of their (very expensive) time is taken up finding and cleaning data. Nobody should pass up an opportunity to save their business money AND become the friend of those mysterious data geniuses down the corridor.
You’ll also be on friendlier terms with customers and regulators. Not putting customer data at risk of breach for longer than necessary helps avoid fines and improves trust.
However, this creates a challenging situation for compliance professionals in particular. Your business needs data but wants to keep costs down. The regulator wants to know that you can produce evidence they can trust, but they also want you to minimise storage. Resolving this challenge is where regtech solutions need to play their part.
How to minimise data storage
Being precise about the data you have, how it can be used and for what purpose is fundamentally good practice opening up opportunities for improved insight.
Going about this requires strategic thinking, resources and adopting suitable systems and processes. Here’s how compliance teams can go about doing that.
- Clarify what data your business really needs. Simple to say, harder to do, especially in larger enterprises. But along with good governance, the people involved in both data collection and data use need to ensure their needs are met in ways that comply with regulatory requirements.
- Make data minimisation an integral part of your data governance strategy and associated systems and processes. This means stating who is responsible for data minimisation in your governance hierarchy, providing tools and resources to support minimisation and creating targets and KPIs for minimisation. For example, putting a number on reducing cloud storage costs will help focus minds.
- Find ways to make data minimisation a value driver. In many businesses, data governance is less of a strategy and more a plan for managing data. If that’s the case you may need to build more of a case for elevating data minimisation beyond reactive management. One way to do that is to explore how new technologies can provide a basis for baking data minimisation into the systems that store and monitor data.
Compliance needs make minimisation challenging
Businesses need to retain data for compliance purposes. A requirement that pushes businesses towards increasing rather than minimising data storage.
The need for retrievable records of data and transactions results in duplicate records for archiving purposes. This duplication of storage adds to costs. It also propagates personal data records. This makes the management and cleansing aspects of data minimisation tactics challenging and complex.
This creates a Catch-22 situation. Detailed records must be kept for regulators who also want data to be kept to a minimum…
This is where new Regtech solutions like LogLocker come into their own. Rather than creating a duplicate record, LogLocker tracks changes, monitoring and recording on a ledger the lifecycle of documents and data. This ledger is blockchain-based and, therefore, immutable, making it defensible. The ledger is searchable, which means records can easily be retrieved.
Rapid retrieval and defensible records that reduce storage costs? This could be the holy grail compliance teams are looking for.