One way for companies to decrease their cybersecurity risks, as well as their risks from new privacy regulations, is through data minimization—significantly reducing the amount of their data. By deleting old data and collecting less new data, companies will have less sensitive information to protect and process in accordance with their regulatory obligations. But getting rid of old data isn’t easy, in part because of the legal limitations on what can be deleted. We have previously written about these challenges, as well as the benefits of data minimization, which include reducing:
- the growth of a company’s data over time, and the associated storage costs;
- lost productivity associated with searching large volumes of irrelevant data;
- the cybersecurity and privacy risks of having large volumes of unneeded data, especially considering CCPA and GDPR-type rights of access and erasure;
- internal audit and compliance risks;
- contractual risks (e.g., obligations to clients and customers to delete data once it is no longer needed); and
- the volume of documents that may be unhelpful to the company in potential, but not yet reasonably anticipated, litigation or regulatory inquiries.