Last month I had the honor of presenting on a panel at Relativity Fest, which I consider one of the most prominent events in the e-discovery community. Our session, entitled “Little Data: The Results of the 2019 Relativity/CTRL Study on Data Minimization,” included a “big reveal” of survey results that were months in the making.
The survey was commissioned by the Coalition of Technology Resources for Lawyers (CTRL)—an industry forum I helped found in 2014. CTRL’s mission is to “advance the discussion on the use of technology and analytics in the practice of law.”
As we began planning for this most recent survey, orchestrated by Osterman Research, we honed in on the emerging topic of data minimization. For those unfamiliar with the term, it is defined by the FTC as “the concept that companies should limit the data they collect and retain and dispose of it once they no longer need it.”
The interesting thing about data minimization is its connection to recent data privacy laws throughout the world, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Since both these regulations are relatively new, CTRL’s goal with the survey was to understand how prepared organizations were for this new landscape.
While I’d urge you to read the complete findings, I wanted to highlight a few excerpts and takeaways from the report.
#1: Data minimization isn’t just about disposing of files that aren’t useful. It’s also about zeroing in on only the most important data from all sides.
Initially, it’s interesting to note that data minimization has quickly evolved beyond merely disposing of non-valuable content, although that element can be important. Significantly, it has started to become a way to minimize data retention by design: i.e., to stop collecting data that doesn’t fulfill a legitimate business objective. This sea change can’t be overstated.
This change in data governance has a range of interesting drivers, many regulatory. Leading the pack was information governance “best practices,” a bit of an umbrella concept that encompasses regulatory compliance, records management, and general data hygiene. Notably, while data storage costs still made the list, this business driver isn’t as critical as it may have been even 5 or 10 years ago.
#2: The value of a good, up-to-date data map cannot be understated—but neither can its rarity.
One of the first things a company needs to do as they begin on their data minimization quest is to understand their current data estate. Whether they call it “data mapping,” or “personal information inventory,” or “data discovery,” this is a crucial first step before any attempts to govern existing stores, and it often precedes efforts to minimize future information collection. Here, the 120 survey respondents were clearly vexed:
As the graphic indicates, only a third felt like they really understood their data universe and its potential to contain risky, sensitive, or personal data. Even the 34 percent who believe they “completely” understood their data landscape had a hard time when they had to break down their data silos into structured, semi-structured, and unstructured categories. Without editorializing too much, the following graphic seems to indicate that confidence across all data categories would be quite low indeed.
Given that more than 80 percent of a company’s data is typically unstructured, the fact that organizations have a very low (15 percent) handle on that data source means that comprehensive data visibility is paltry. And, as we’ve seen with recent high-profile data breaches, it’s this dark and unstructured data that ultimately contains the most risk, in terms of sensitive content that is unguarded and dangerous if released into the wild.
#3: The ability to perform defensible legal holds remains a major motivator of data minimization efforts.
Finally, the survey did diagnose one potential area of conflict for organizations that want to aggressively minimize their content: legal holds.
Fortunately, both the survey data and the panel discussion seemed to conclude that a well-thought-out and documented IG program should be sufficient insulation against any spoliation charges.
Data minimization is on the cusp of materially impacting organizations. The CCPA and any emerging legislation like it will very quickly drive this theme home for many organizations, and then the hard work begins: to minimize the intake of superfluous data and clean up the sensitive information most of us have likely been saving and over-collecting for years.