If privacy law has been on your bedtime reading list recently, you’ll be aware that data minimisation and storage limitation are hot topics right now.
With sensitive data spreading uncontrollably across SaaS applications, it's becoming more difficult to discover, control, and protect your data. We're going to break down these vast topics to help you get a clearer idea of what they are and how you can use them to your advantage.
Data minimisation is one of three principles in GDPR regarding data standards, along with accuracy and storage limitations. It essentially refers to collecting and keeping only the personal data that you need, which in turn reduces the risk of over-exposure.
It's also increasingly making the shift from a best practice and condition of safe harbour, particularly in the US, to being explicitly required in modern privacy legislation such as the California Privacy Rights Act (CRPA) and in the current draft federal bill for the American Data Privacy and Protection Act.
In a more practical light for growing scale-ups, data minimisation is an enabler for many elements of a strong data security posture. It involves defining how and why the data is being collected, collecting anonymised data or the least personal data possible, and having tools and systems in place to erase stale sensitive data.
Storage limitation is the principle of keeping data only as long as is necessary. This is important, beyond simply complying with regulations. Personal and sensitive data held for too long quickly becomes excessive, inaccurate or redundant.
There is already a significant enough risk storing sensitive data, let alone inflating the risk with redundant data which could have been erased in the first place. Since GDPR was introduced, many companies implemented data retention schedules and information asset registers to comply specifically with the wording that data is not held for any 'longer than is necessary'.
If you're currently in a scale-up with an ever-growing list of SaaS applications, you'll no doubt feel a bit uncomfortable about storage limitations in practice for both personal and sensitive data. The risk is heightened as the amount of data grows exponentially.
*In 2021, SaaS file security violations spiked by 134%, and the number of files containing PII has grown 1944% year on year. When we're speaking with CISOs in particular, it's common to hear the importance of addressing this risk in a way that automates the data identification and redaction/erasure steps, as much as possible.
Good security posture is more of a process than an outcome, so we're sharing three ways we've seen scale-ups improve their data security posture through their day to day processes and operations.
The first step in securing data is to know what you have. Ultimately, it's a record of what information your business holds, where it is stored, who has access to it, how sensitive it is and how old it is. This visibility forms a spine for the next two areas!
Data security is more than just a compliance activity. When embedded into the ways of working and culture of the business, it can create significant value to both the operations and revenue. Naturally, training is part of this. But employees are not all the same and any approach to security education needs to be tailored to an individual, in terms of their role and meeting them where they are in their security knowledge.
Likewise, we're seeing a greater shift to considering the impact that good security posture has on employee behaviours, particularly in SaaS applications where the risk of over-exposure is heightened. We know that most data leaks are a result of accidental mistakes rather than malicious intent, so policies and general training are only as effective as the behaviours they consistently drive.
High growth companies are constantly hiring, onboarding and trying to train and align new staff with preferred ways of working. In a scrappy environment, it can feel like an impossible task, but it’s an essential part of minimising data and thus protecting your business long term.
Two of our favourite words at Metomic. Automation lightens the load which is vital during periods of growth to ensure security teams are focused on more impactful initiatives (like cultural awareness).
Metomic can look across your entire surface—from the infrastructure layer to applications, and across multiple environments—to identify and map sensitive data. It can enforce policies, such as automatically deleting sensitive data when it's no longer needed.
An unfortunate but recurring symptom of the explosion of SaaS applications is how much easier it now is for sensitive data to spread. So it is more important than ever for scale-ups to improve up their data security posture and take steps to protect their customers' sensitive and personal data.
Metomic's sensitive data discovery tool for SaaS apps helps you discover and control sensitive data in cloud applications so that you can focus on growing your business.
Get in touch today for insight into the data minimisation effort at your business and recommendations for remediation.