Data Minimization and Storage Limitation

Sensitive data is spreading uncontrollably across SaaS applications, so check out our 101 on data minimization and storage limitations.

 min read

If privacy law has been on your bedtime reading list recently, you’ll be aware that data minimization and storage limitation are getting a lot of love! With sensitive data spreading uncontrollably across SaaS applications, it becomes more difficult to discover control and protect your data. So if getting up to speed on GDPR principles or having a first look at the American Data Privacy and Protection Act is not your jam, keep reading for a 101 guide to each of these principles and some ways you can level up your security posture.

Data Minimization

Data minimization is one of three principles in GDPR about data standards, along with accuracy and storage limitations. It essentially refers to collecting and keeping only the personal data that you need, which in turn reduces the risk of over-exposure. It's also increasingly making the shift from a best practice and condition of safe harbor, particularly in the US, to being explicitly required in modern privacy legislation such as the California Privacy Rights Act (CRPA) and in the current draft federal bill for the American Data Privacy and Protection Act.

In a more practical light for growing scale-ups, data minimization is an enabler for many elements of a strong data security posture. It involves defining how and why the data is being collected, collecting anonymized data or the least personal data as possible, and having tools and systems in place to erase stale sensitive data.

Storage Limitation

Storage limitation is the principle of keeping data for only as long as is necessary.  This is important beyond simply compliance with regulations. Personal and sensitive data held for too long quickly becomes excessive, inaccurate or redundant. There is already a significant enough risk storing sensitive data let alone inflating the risk with redundant data which could have been erased in the first place. Since GDPR was introduced, many companies implemented data retention schedules and information asset registers to comply specifically with the wording that data is not held for any 'longer than is necessary'.

If you're currently in a scale-up with an ever-growing list of SaaS applications, you'll no doubt feel a bit uncomfortable about storage limitations in practice for both personal and sensitive data. The risk is heightened as the amount of data grows exponentially. In 2021, SaaS file security violations have spiked by 134%, and the number of files containing PII has grown 1944% year over year. When we're speaking with CISOs in particular, it's common to hear the importance of addressing this risk and in a way that automates as much as possible of the data identification and redaction/erasure steps.

Leveling up your data security posture

Good security posture is more of a process than an outcome, so we're sharing three ways we've seen scale-ups level up their data security posture through their day to day processes and operations.

1. Visibility 👓 - The first step in securing data is to know what you have. In our platform we call it your Sensitive Data Footprint, but ultimately it's a record of what information your business holds, where it is stored, who has access to it, how sensitive it is and how old it is. This visibility forms a spine for the next two areas!

2. Culture > Training 🎓 - Data security is more than just a compliance activity. When embedded into the ways of working and culture of the business, it can create significant value to both the operations and revenue. Naturally, training is part of this. But employees are not all the same and any approach to security education needs to be tailored to an individual, in terms of their role and meeting them where they are in their security knowledge. Likewise, we're seeing a greater shift to considering the impact that good security posture has on employee behaviors, particularly in SaaS applications where the risk of over-exposure is heightened. We know that most data leaks are a result of accidental mistakes rather than malicious intent, so policies and general training are only as effective as the behaviors they consistently drive. High growth companies are constantly hiring, onboarding and trying to train and align new staff with preferred ways of working. In a scrappy environment, it can feel like an impossible task, but it’s an essential part of minimizing data and thus protecting your business long term. 

3. Automate & Remediate ⚙️ - Two of our favorite words at Metomic. Automation lightens the load which is vital during periods of growth to ensure security teams are focused on more impactful initiatives (like cultural awareness). Metomic can look across your entire surface—from the infrastructure layer to applications, and across multiple environments—to identify and map sensitive data. It can enforce policies, such as automatically deleting sensitive data when it's no longer needed.

An unfortunate but recurring symptom of the explosion of SaaS applications is how much easier it now is for sensitive data to spread. So it is more important than ever for scale-ups to level up their data security posture and take steps to protect their customers' sensitive and personal data.  Metomic helps you discover and control sensitive data in cloud applications so that you can focus on growing your business.

Get in touch today for insight into the data minimization effort at your business and recommendations for remediation. 

Photo by Christopher Gower on Unsplash

Subscribe to our newsletter now!

Thanks for joining our newsletter.
Oops! Something went wrong.