PARTNER CONTENT: Data is the lifeblood of the telecom industry. With the advent and proliferation of 5G, AI, IoT, and other transformative technologies, telecom companies manage vast amounts of structured and unstructured data. Tom Moore, Senior Managing Director, Protiviti, explains that while this data is essential for delivering seamless customer experiences and driving innovation, it also brings significant risks. One of the most critical strategies to mitigate these risks is data minimization, a principle that telecoms must adopt not just to comply with regulations but to secure their future.
Why has data minimization become critical?
Data minimization refers to the practice of collecting, processing, and retaining only the minimum amount of data necessary for a specific purpose. Rooted in privacy and data protection regulations like the GDPR, it seeks to reduce the volume of data stored, thereby limiting exposure to breaches, operational inefficiencies, and regulatory penalties. This principle is particularly relevant for telecom companies given their reliance on legacy systems, vast customer bases, and the increasing complexity of cyber threats.
Over decades of service, telecom operators have accumulated immense data stores across multiple systems and repositories. This data, ranging from customer information to network performance metrics, is instrumental for network optimization and customer engagement. However, the sheer scale of the data often outstrips an organization’s ability to secure and manage it effectively. Old or legacy data is very often the source of data breaches today.
Furthermore, technologies like 5G and AI elevate the stakes. For instance, 5G’s low latency and real-time data capabilities mean that sensitive information, such as precise location data or facial recognition inputs, can be transmitted and processed faster than ever before. This expands the potential damage in the event of a security breach. Similarly, AI systems, while revolutionary in analyzing and leveraging telecom data, generate vast data sets, including inferred or sensitive data, exacerbating privacy risks.
Telecoms are prime targets for cyberattacks
Recent breaches in the telecom sector highlight the risks of excessive data retention. One such example saw decades-old customer data exposed including sensitive personal information of individuals who were no longer customers or had merely applied for credit. These incidents underscore the need for operators to implement robust data minimization practices, which requires regularly purging outdated and unnecessary data, shrinking the “breach zone” and reducing both reputational and financial fallout.
Other cases that highlight the importance of data minimization include the recent news that China-backed hacker group breached US telecom providers to access wiretap data and the case of Orange Spain, which suffered a massive cyberattack and disrupted operations.
Even regulators and standards organizations like the UK’s telecom regulator Ofcom and the European Telecommunications Standards Institute have fallen victim to breaches.
The financial and environmental cost of retaining data
Storing and maintaining old data is not just a security risk, it is also financially and environmentally expensive. Legacy data increases storage costs and complicates analytics, forcing operators to invest in additional resources without yielding commensurate value. Moreover, inefficient data management can lead to outdated insights, negatively impacting network planning and customer service.
Regulators worldwide are stepping up enforcement of data protection laws. In the United States, the Federal Communications Commission (FCC) now requires telecom providers to report breaches of personally identifiable information (PII) within 30 days. In Europe, operators face stringent rules under GDPR, with hefty fines for non-compliance. For instance, an Italian telecom company was fined €27.8 million for excessive data retention.
Excessive data storage has a significant environmental footprint, as data centers require vast amounts of energy for operation and cooling, contributing to rising energy costs and substantial carbon emissions. In an era where sustainability is a key priority for industries, minimizing unnecessary data storage aligns directly with global sustainability goals, such as reducing carbon footprints and conserving resources. Adopting data minimization not only reduces operational costs but also demonstrates a commitment to environmental stewardship.
Beyond the ecological impact, there is an ethical responsibility to manage customer data thoughtfully and to respect user privacy. Holding on to outdated or excessive data not only increases vulnerability to breaches but also raises questions about transparency and accountability. By embedding data minimization into their corporate strategies, telecom operators can fulfill their social responsibility to protect customer data and privacy while contributing to a greener, more sustainable digital economy. This dual focus on sustainability and ethics positions them as leaders in corporate social responsibility and strengthens brand reputation in a competitive market.
In the highly competitive telecom market, customer retention is critical for sustained growth, it cannot be overstated that a strong reputation for security is essential to earning and maintaining the trust that keeps customers loyal.
Steps to embed data minimization by design
Adopting data minimization presents significant challenges for telecom companies, including resistance to change from internal stakeholders, the high costs associated with modernizing legacy systems, and the complexity of aligning data minimization efforts with overarching business goals.
Many organizations are hesitant to disrupt established processes or invest in new technologies without clear short-term returns. Additionally, legacy systems often lack the flexibility to support modern data practices, making implementation seem daunting.
To overcome these barriers, telecom service providers can adopt phased rollouts, starting with smaller projects or departments to demonstrate tangible benefits before scaling across the organization. This approach minimizes disruption while building internal confidence in the strategy.
Leveraging AI-driven data management tools can also streamline the process by automating data classification, retention, and deletion, reducing manual effort and ensuring compliance. Furthermore, fostering a culture of change by securing leadership buy-in and educating teams on the long-term value of data minimization, such as enhanced security, cost savings, and improved customer trust, can help overcome resistance and align efforts with strategic objectives.
Seven steps to data minimization
Telecom operators must adopt data minimization as a core operational and strategic principle. They can take the following steps to achieve impactful data minimization:
- Develop a Data Retention Schedule — Establish a clear data retention policy that balances legal, tax, and business requirements while aligning with customer expectations.
2. Conduct Comprehensive Data Audits — Maintain an up-to-date inventory of all data systems, applications, and repositories. This should include third-party vendor systems and mapping of data collection, usage, and access points.
3. Implement Systematic Data Deletion — Regularly delete data that exceeds the retention period. Ensure that legal hold data includes only the elements required to satisfy regulatory or litigation needs, avoiding wholesale retention of entire repositories.
4. Automate Deletion Processes — Update existing applications to automate data deletion when it surpasses its retention period. This reduces manual errors and ensures consistent compliance.
5. Design Minimization Features into New Products — Embed data minimization principles into the development lifecycle of new products and services. Automated deletion should be a standard feature to prevent future data accumulation issues.
6. Secure Senior Leadership Buy-In — Ensure senior executives and board members prioritize data minimization. Regular progress reports to the Audit or Risk Committee can sustain momentum and accountability.
7. Partner with Experts — Engage external partners to design and implement a robust data minimization framework. Firms like Protiviti can provide specialized expertise to streamline this process.
Harness data minimization
As the telecom industry continues to innovate, data will remain both a critical asset and a significant liability. Data minimization offers a pragmatic way to manage this duality, enabling operators to reduce risks, optimize operations, and maintain customer trust. By embedding data minimization into their strategic roadmap, telecom companies can position themselves for a more secure and sustainable future.
With regulatory scrutiny increasing and cyber threats evolving, the time to act is now. Telecom leaders must embrace data minimization not as a compliance checkbox but as a competitive advantage. In doing so, they will protect their organizations, their customers, and the broader digital ecosystem.