Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Data minimisation: A crucial pillar of cyber security
Cyber Security: A Peer-Reviewed Journal,
8
(3),
243-254
(2025)
Abstract
As data security threats mount, businesses should not lose sight of a fundamental but powerful tool to mitigate risk: data minimisation. Businesses across industries should recognise the potentially devastating security, operational and compliance risks that arise from keeping old and unreliable data. Helpfully, the latest generation of privacy laws are increasingly mandating data minimisation, purpose limitation and other measures designed to protect individual privacy. Such measures have the additional benefit of shrinking the surface area for cyberattacks and other threats to the confidentiality, integrity and availability of data. Leveraging new laws and technology, companies should maximise the value of their information by focusing on sound data governance, ensuring that it is not just an ‘IT issue’. Then businesses should use new tools to map their data and determine its age and sensitivity and start minimising their retention and use of data that no longer meets current business or compliance requirements. Businesses can use a variety of techniques to slim their data profile, eg destruction, de-identification, tighter retention policies, privacy-enhancing technology. In the end, these minimisation actions will be well worth the effort. Businesses will unlock their data’s true value, increase their productivity and avoid the serious privacy and information security risks that come from housing data they no longer need.
Keywords: data minimisation; data mapping; data governance; data protection laws
The full article is available to subscribers to the journal.
Author's Biography
Paul Luehr co-leads Manatt’s AI practice and has handled some of the largest data security and privacy incidents in history. With three decades of experience across law, government and consulting, he works with a variety of clients in retail, healthcare, financial services, technology, higher education and manufacturing, and has earned a reputation as a ‘go to’ adviser in high-stakes cyber security, privacy and artificial intelligence (AI) matters. Paul frequently represents clients before federal and state regulators and foreign data protection authorities. He has responded to hundreds of cyberattacks, guided large teams of experts, created robust compliance programmes, supervised enterprise-wide privacy and cyber security assessments, led cyberthreat tabletop exercises and advised board directors on new data risks. Paul has given over 180 lectures at universities and trade organisations, and his insights have been featured on national television and radio and in publications such as the Wall Street Journal and the New York Times.
Brandon Reilly is the leader of Manatt’s privacy and data security practice and is recognised nationally for his work in cyber law and as a ‘Top 40 Under 40’ and ‘Top Cyber’ lawyer in California. A trusted adviser on privacy and data security issues for a sophisticated client base, Brandon is skilled at developing business-focused privacy and security frameworks aimed at mitigating future enforcement and litigation risk. His practice includes a wide array of consumer protection and privacy matters, including data privacy, security compliance and procedures and data breach responses. A thought leader and frequent speaker in the privacy and data security space, Brandon is a Certified Information Privacy Professional for the US private sector (CIPP/US) and an active member of the International Association of Privacy Professionals (IAPP) and co-founder of its local Orange County chapter. Brandon has spoken at national industry organisations such as the IAPP, the Institute for Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA) and the Information Systems Security Association (ISSA), and has been quoted by Bloomberg Law, Daily Journal and Cybersecurity Law Report as well as published in other notable publications.
