The DPOInsider covers the latest news and developments in data compliance and privacy.  The DPO's favourite weekly read ☕️

Welcome to the second edition of the DPOinsider. I really hope that you are enjoying reading this weekly update on all things data compliance and protection. You can hit reply at any time to get in touch with questions or feedback.

Data minimization

It seems that companies aren’t using all of their data. In fact, the reality is that it’s not even close to all.

A current estimate from PWC is that, on average, only 0.05% of data is used in a meaningful way.

In today’s business landscape it looks like companies are set by default to try and collect as much data as possible, without the infrastructure or expertise to actually benefit by using it in a meaningful way.

This naturally leads us to a conversation about data minimization, and for DPOs this can be unstable ground. How can you shift the conventional narrative that companies should collect and store as much data as possible?

This article is a good place to start. From data privacy laws to growing data retention and storage costs, there are many good reasons to take a fresh look at your data retention policies with data minimization in mind. As the article rightly points out:

Collecting more data without doing due diligence, getting the right team on the ground, and the right AI or processing tools for that team to use, is a massive gamble. You risk spending a lot of money and creating more security risks, without any of the pay off.

Ultimately data minimization becomes a calculation of the value you are getting from the data you collect vs the risks associated with said data. Based on those PWC estimates, I’d wager that many companies have currently got this balance a little wrong.

UK wants out of GDPR

The latest noise coming from the UK government is that it wants out of the EU’s GDPR.

Granted it can be difficult to tell if this is a politically motivated move. However, it seems that any future UK regulation would use the GDPR as a framework.

The interesting developments here would be how the EU would respond should the UK seek to reach a new “Era of Growth and Innovation” via a new set of privacy laws.

The answer might be more simple than you’d think. The GDPR was introduced in 2018, ie before Brexit, making it a part of British law.

All this has likely landed on the intray of the UK’s new information commissioner John Edwards. Whether he can convince the EU, and other nations, that new laws adequately protect consumers will be something to keep an eye on in the coming months.

Quick links

• Another fine for over retention of data, or is it under minimization?

• New standards for cross-border data transfers?