Enterprises have been struggling to decide on a question related to customer data for too long which is “how much data to collect, how best to use it and how long or how much to retain in view of privacy and security concerns”. This dilemma continues in their efforts to comply with various regulations, Customers’ reasonable expectations and Internet of things or for that matter in every business decision.
One possible example of inappropriate usage of key customer data could be collection of PAN numbers by Indian Railways. This critical information (PAN) is publicly displayed on Reservation charts which could be a clear violation of reasonable privacy practices. Another example could be that of credit rating or credit reporting and permissible uses of customer credit report information under certain circumstances.
Data minimization principle could come in handy to overcome this difficulty of possible misuse of data collected. Data minimization – which refers to the concept that companies should limit the data they collect and retain and dispose it once they no longer need it could be a useful principle in guiding the Enterprises to avoid Privacy compromises. The flip side of this approach could be choking off potential benefits or innovation of the data collected.
Another approach could be consent based which require obtaining the customer consent every time information is to be collected or reported. But this will be a big burden on the part of the Enterprises to obtain Customer consent. Therefore, as a part of data minimization exercise, Enterprises could ask themselves a series of questions, such as whether they need a particular data or whether the data can be de-identified in order help themselves of the optimal use of data collected and so on
Whatever may be the approach, the onus of using the data appropriately (for the purpose for which it is collected), protecting the data while in use or retention and its final disposal lies with the Enterprises and hence, necessary action is to be initiated by the Enterprises such as defining the policies and frameworks, deployment of technological and administrative controls and close monitoring and management of the same.
By PVS Murthy