On July 21, the Federal Trade Commission launched a new initiative, Stick with Security. In this initiative, the FTC is expected to publish a post every Friday concerning the steps companies may take to help safeguard sensitive and personal data. Importantly, this series will give insight into the steps the FTC believes constitute reasonable data security, which can help companies manage data security risks and hopefully avoid FTC data security investigations. During this series, we will share additional practical insights related to each FTC post.
The first Stick with Security post from Friday, July 28, focused on data minimization. That is, the principle that a company limit the amount of personal or sensitive information that it collects, uses, and maintains to only what it needs for its legitimate business purposes. While this sounds like a relatively simple and straightforward concept, it can be very difficult to implement in practice. We often see a tension between data collection desires stemming from the business (data analytics are a big deal, as is product innovation) and data minimization desires from the privacy and data security teams. Creating a culture of understanding and communication among these groups to account for the risk and benefit of data before collecting, using, and maintaining it, is a productive way to handle this common issue.
Please click here to see the FTC’s blog post containing advice on and examples of data minimization in practice.