The Rising Importance of Data Minimisation in the Telecoms Industry

Why has data minimisation become critical?

Data minimisation refers to the practice of collecting, processing, and retaining only the minimum amount of data necessary for a specific purpose. Rooted in privacy and data protection frameworks like the GDPR, it seeks to reduce the volume of data stored, thereby limiting exposure to breaches, operational inefficiencies, and regulatory penalties. For telecom companies, this principle is particularly relevant given their reliance on legacy systems, vast customer bases, and the increasing complexity of cyber threats.

Over decades of service, telecom operators have accumulated immense data stores across multiple systems and repositories. This data, ranging from customer information to network performance metrics, is instrumental for network optimisation and customer engagement. However, the sheer scale of the data often outstrips an organisation’s ability to secure and manage it effectively. Old or legacy data is very often the source of data breaches today.

Furthermore, technologies like 5G and AI elevate the stakes. For instance, 5G’s low latency and real-time data capabilities mean that sensitive information, such as precise location data or facial recognition inputs, can be transmitted and processed faster than ever before. This expands the potential damage in the event of a security breach. Similarly, AI systems, while revolutionary in analysing and leveraging telecom data, generate vast data sets, including inferred or sensitive data, exacerbating privacy risks.

Telecoms are prime targets for cyberattacks

Recent breaches in the telecom sector highlight the risks of excessive data retention. In a few recent cases, breaches exposed decades-old customer data, including sensitive personal information of individuals who were no longer customers or had merely applied for credit. These incidents underscore the need for operators to implement robust data minimisation practices, which requires regularly purging outdated and unnecessary data, shrinking the “breach zone” and reducing both reputational and financial fallout.

Other cases that highlight the importance of data minimisation include the recent news that China-backed hackers breached US telecom providers to access wiretap data and the case of Orange Spain, which suffered a massive cyberattack and disrupted operations.

Even regulators and standards organisations like the UK’s telecom regulator Ofcom and the European Telecommunications Standards Institute have fallen victim to breaches.

The financial and environmental cost of retaining data

Storing and maintaining old data is not just a security risk, it is also financially and environmentally expensive. Legacy data increases storage costs and complicates analytics, forcing operators to invest in additional resources without yielding commensurate value. Moreover, inefficient data management can lead to outdated insights, negatively impacting network planning and customer service.

Regulators worldwide are stepping up enforcement of data protection laws. In the United States, the Federal Communications Commission (FCC) now requires telecom providers to report breaches of personally identifiable information (PII) within 30 days. In Europe, operators face stringent rules under GDPR, with hefty fines for non-compliance. For instance, an Italian telecom company was fined €27.8 million for excessive data retention.

Excessive data storage has a significant environmental footprint, as data centres require vast amounts of energy for operation and cooling, contributing to rising energy costs and substantial carbon emissions. In an era where sustainability is a key priority for industries, minimising unnecessary data storage aligns directly with global sustainability goals, such as reducing carbon footprints and conserving resources. Adopting data minimisation not only reduces operational costs but also demonstrates a commitment to environmental stewardship.

Beyond the ecological impact, there is an ethical responsibility to manage customer data thoughtfully and to respect user privacy. Holding on to outdated or excessive data not only increases vulnerability to breaches but also raises questions about transparency and accountability. By embedding data minimisation into their corporate strategies, telecom operators can fulfill their social responsibility to protect customer trust while contributing to a greener, more sustainable digital economy. This dual focus on sustainability and ethics positions them as leaders in corporate social responsibility and strengthens brand reputation in a competitive market.

In the highly competitive telecom market, customer retention is critical for sustained growth, it cannot be overstated that a strong reputation for security is essential to earning and maintaining the trust that keeps customers loyal.

Steps to embed data minimisation by design

Adopting data minimisation presents significant challenges for telecom companies, including resistance to change from internal stakeholders, the high costs associated with modernising legacy systems, and the complexity of aligning data minimisation efforts with overarching business goals.

Many organisations are hesitant to disrupt established processes or invest in new technologies without clear short-term returns. Additionally, legacy systems often lack the flexibility to support modern data practices, making implementation seem daunting.

To overcome these barriers, telecom service providers can adopt phased rollouts, starting with smaller projects or departments to demonstrate tangible benefits before scaling across the organisation. This approach minimises disruption while building internal confidence in the strategy.

Leveraging AI-driven data management tools can also streamline the process by automating data classification, retention, and deletion, reducing manual effort and ensuring compliance. Furthermore, fostering a culture of change by securing leadership buy-in and educating teams on the long-term value of data minimisation, such as enhanced security, cost savings, and improved customer trust, can help overcome resistance and align efforts with strategic objectives.

Seven steps to data minimisation

Telecom operators must adopt data minimisation as a core operational and strategic principle. They can take the following steps to achieve impactful data minimisation:

1. Develop a Data Retention Schedule — Establish a clear data retention policy that balances legal, tax, and business requirements while aligning with customer expectations.
2. Conduct Comprehensive Data Audits — Maintain an up-to-date inventory of all data systems, applications, and repositories. This should include third-party vendor systems and mapping of data collection, usage, and access points.
3. Implement Systematic Data Deletion — Regularly delete data that exceeds the retention period. Ensure that legal hold data includes only the elements required to satisfy regulatory or litigation needs, avoiding wholesale retention of entire repositories.
4. Automate Deletion Processes — Update existing applications to automate data deletion when it surpasses its retention period. This reduces manual errors and ensures consistent compliance.
5. Design Minimisation Features into New Products — Embed data minimisation principles into the development lifecycle of new products and services. Automated deletion should be a standard feature to prevent future data accumulation issues.
6. Secure Senior Leadership Buy-In — Ensure senior executives and board members prioritise data minimisation. Regular progress reports to the Audit or Risk Committee can sustain momentum and accountability.
7. Partner with Experts — Engage external partners to design and implement a robust data minimisation framework. Firms like Protiviti can provide specialised expertise to streamline this process.

Harness data minimisation

As the telecom industry continues to innovate, data will remain both a critical asset and a significant liability. Data minimisation offers a pragmatic way to manage this duality, enabling operators to reduce risks, optimise operations, and maintain customer trust. By embedding data minimisation into their strategic roadmap, telecom companies can position themselves for a more secure and sustainable future.

With regulatory scrutiny increasing and cyber threats evolving, the time to act is now. Telecom leaders must embrace data minimisation not as a compliance checkbox but as a competitive advantage. In doing so, they will protect their organisations, their customers, and the broader digital ecosystem.

This article originally appeared on Mobile World Live.