My dad kept everything.

And I mean that literally. When my siblings and I started cleaning out his office, we found printed emails from 2003. Folders of documents no one had touched in fifteen years. Receipts for things we couldn’t identify. Manuals for appliances that no longer exist. Notes from meetings that probably weren’t that important even when they happened.

Box after box after box.

He was very much a product of his generation. Printing something was proof that someone said something, a bill was paid, a contract was formed, etc. He sent an email, got a confirmation, and then naturally printed it. He took copies of the checks showing a payment (and taught me to do that, which I did when I was a young adult) in case it got lost in the mail. Got a rebate check? He copied that too.

He loved being surrounded by paper, and I just loved this picture of him that I found.

Even as the world went fully digital, the instinct of having a physical copy never really left him. He didn’t totally trust that the cloud would hold things correctly. So the bank transfer confirmation got printed. The payment receipt got printed. The email thread, just in case, got printed. Meanwhile, all the emails and confirmations are still IN his email.

I kept thinking about this while hauling too many boxes to count to the recycling pile.

Because people today are keeping copies of records upon records. We’ve just stopped using paper mostly (though I do know some who still do) and moved to digital.

Nobody Actually Deletes Anything

With physical stuff, there’s a natural limit. You fill the cabinet, you fill the closet, the garage gets out of control, and eventually the sheer volume forces you to deal with it. Or like my dad, he didn’t actually deal with it – he just made piles upon piles of paper.

Digital doesn’t have that natural pressure point. Storage is cheap. There’s always more room. So we just keep everything.

Think about how a single work project actually gets stored. It starts as an email thread. Then someone creates a Slack or Teams channel. Then there’s a project management tool like Asana, Monday, ClickUp, or whatever your company uses.

In the early days, we stored copies on floppy (or hard) disks. When I asked my kids, “Do you know what this is?” they had NO idea. 

Someone also likely makes a shared Google Drive or SharePoint folder. Then someone downloads the document to make edits and saves it to their desktop. Then that version gets attached to another email and forwarded to three more people. Someone screenshots something on their phone. Someone exports a PDF “just to have it.”

That’s six or seven copies of the same information, scattered across platforms, and nobody is tracking any of it. Most of it will never be looked at again.

This is how data sprawl happens – not because people are trying to hoard data, but because nobody is thinking about the copies.

They’re focused on getting the work done, sharing the document with whoever needs it, and moving to the next thing. The fact that there are now seven versions of the same file living in seven different places doesn’t really register. Until it does.

What Data Minimization Actually Means

The general concept is not complicated: only collect and keep the data you actually need, for as long as you actually need it.

Some questions to ask before you hit save:

  • Is there already a copy of this?
  • Do I really need this?
  • How long do I need it?

Most people never ask any of them. And from a privacy standpoint, that matters a lot.

The data you’re holding is data that can be breached, subpoenaed, mishandled, or exposed. The data you’ve already deleted can’t hurt you.

Privacy laws have various definitions. Under GDPR, personal data must be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.” At least 15 states have adopted this concept.

CCPA’s data minimization standard is explained in Section 7002. It states that, “a business’s collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purpose for which the personal information was collected or processed.”

Connecticut’s definition under CTDPA also requires data minimization and says “collection has to be necessary and proportionate to the stated purpose,” and Connecticut keeps amending the law to strengthen it.

This past Thursday, I had the opportunity to provide testimony at the Vermont House Committee on Commerce and Economic Development meeting regarding the current draft of Vermont SB-71 Privacy Law, and one of the areas being challenged in the bill is data minimization. 

As currently proposed, it would require the following:

A controller must limit collection and processing to what is reasonably necessary and proportionate to provide or maintain:

  1. A specific product or service requested by the consumer, and
  2. A communication that is not an advertisement by the controller to the consumer that is reasonably anticipated within the context of that relationship.

Then we have Maryland’s approach under MODPA, which is one of the strictest in the country on this. Companies have to limit personal data collection to what’s reasonably necessary and proportionate to provide whatever product or service someone asked for. For sensitive data such as health information, biometric data, and precise location, the bar is even higher: strictly necessary. That’s a meaningful difference from most state laws, which basically let companies collect what they want as long as they disclose it somewhere in a privacy policy.

Every other state ties minimization to what the company discloses in its privacy policy. Vermont (if passed as is) and Maryland tie it to what the consumer actually asked for.

How do you connect data minimization requirements to data retention?

Companies do need to consider which jurisdiction they are in and which requirements they need to adhere to regarding what can/can’t be collected and stored. Once that baseline has been established, data retention practices kick in.

Having a Policy Is Not the Same as Actually Doing It

This is where I see companies get stuck more than anywhere else.

They have a data retention policy. It’s written down. It might even be a solid one. And then nothing actually happens in practice, because finding all the places data actually lives and systematically doing something about it is genuinely hard work.

You can write a policy that says customer records get deleted after seven years. But if those records are sitting in your CRM, your email archive, a spreadsheet someone built on the side to “just track things,” a Slack message from 2021, and a folder on someone’s laptop who left the company, then that policy is basically unenforceable.

I did a data inventory for a company that had 5 CRMs. Why? They didn’t like the first 4; the CEO liked 1 better than the others, and no one wanted to delete any information from those not used.

I have clients who had a well-built retention schedule and a lovely policy to go with it. Thoughtful, detailed, the right people had reviewed it. But getting people to actually take action on it didn’t happen. People kept saving information in multiple places, nothing was really being deleted, and now they were doing one thing against what their company policy said they should be doing.

That gap is really common. More common than most companies want to admit.

What Actually Helps

A few things I’ve seen make a real difference:

Talk about why, not just what. If data minimization gets communicated as a compliance requirement, people treat it like something to check off and forget. When it’s explained as protecting the people whose data you hold, and reducing risk for the company, it actually resonates. People want to do the right thing when they understand what the right thing is.

Make the default behavior the right behavior. Don’t rely on people to remember to delete things. Set expiration periods in your project management tools. Put a schedule in place for archiving old Slack channels. The less this depends on individual memory and initiative, the better it will actually work.

Have a clear rule about how documents get shared. This one comes up constantly, and it’s so easy to fix. When someone shares a link to a file in a central system, there’s one copy, in one place, that can be managed and eventually deleted. When someone attaches the actual file to an email or drops it into Slack, you’ve immediately lost control of where it lives.

Ask the minimization question before a project starts, not after. What data do you actually need to collect? Do you need every field in that form, or are some of them just habit? How long do you genuinely need to keep it? Starting lean is infinitely easier than trying to clean up three years later.

Give people a reason to actually purge. A structured clean-up effort with some leadership energy behind it and a clear goal gets results in a way that a policy reminder email simply doesn’t. There’s something genuinely satisfying about clearing out digital clutter. Lean into that.

Team Effort: I’ve seen on Data Privacy Day and during Cybersecurity Awareness Month companies have clean out days for both digital and any physical documents. People can wear jeans or casual clothes if that’s not standard, bring in food (people always want the free food and will stop by to learn more), and prizes for who fills up the most bins or deletes the most files.

Make it Personal: Bringing in physical shredding bins for people to bring their own personal documents at home + the work drawers.

My Actual Summer Plan

Standing in my dad’s office, I told myself this summer I was going to go through my own stuff at home.

I had a doctor tell me that I could never take enough pictures (he was referring to pictures of my baby, but I apply this to all the special people, food, or beaches in my life). So the 66,255 items in my photo library are probably not going anywhere any time soon. I’m going with “doctor’s orders” on that one!

The downloads folder is a problem for future me. But the documents, the old physical and digital files, the folders I haven’t opened since before the pandemic? Even the pile of my kids stuff I stuffed in the basement for another time. Those are getting dealt with. This is my no-more-school-summer project, and I’m oddly excited about it.

Sidebar: I am loving that my daughter’s school now sends me a digital picture of her art. Less for me to scan, and don’t you just love this bird?

Why do we really keep stuff?

My dad’s whole system of printing and keeping everything came from wanting to feel in control. Wanting proof. Wanting to know that if something ever came up, the documentation was there.

But it didn’t actually give him control. It gave him SO MANY boxes of stuff his kids now have to sort through.

Just one of the many boxes of paper – because scrap paper was also saved!

My dad thought that keeping everything was safer might he have needed it.

That’s true for companies too. The data you’re holding onto “just in case” isn’t making you more protected. It’s making you more exposed – and making the things that actually matter harder to manage. How long did it take you to find the file anyway, because there were SO many files to sort through? Yup, too many…you get my point.

My dad kept everything because he was careful. Some things he saved I’m really grateful for, so I can read his sales leadership seminar notes, his first resume, and I found the cards my kids sent him. The printed bank confirmations, email print outs, and printed bank statements got tossed.

At some point, keeping everything stops being careful and starts being a liability.

What step can you take to minimize the data in your life?

Do you have a data minimization strategy that actually works in practice, or is it more of a “we have a policy” situation? I’d genuinely love to hear what’s worked. Drop a comment or send me a note.

Jodi

💡 When you’re ready, here’s how we can help:

⚙ Privacy Advisory & Implementation: We help companies navigate privacy requirements with confidence. Our advisory support covers strategy, operations, and real-world implementation.

⚙ Fractional Privacy Services: We provide fractional privacy leadership tailored to your needs and pace. From program development to day-to-day support, we help you build and sustain a strong privacy program.

The post My Dad Kept Everything. Sound Familiar? appeared first on Red Clover Advisors.

Jodi Daniels

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy, helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance. Jodi as a Certified Informational Privacy Professional with the…

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy, helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance. Jodi as a Certified Informational Privacy Professional with the daily privacy operations such as data mapping, individual rights, training, policies, etc. and also serves as a fractional chief privacy officer. Jodi Daniels is a national keynote speaker, host of the She Said Privacy / He Said Security Podcast, and also has been featured in The Economist, Forbes, Inc., Authority Magazine, ISACA, and more. Jodi holds a Masters of Business Administration and a Bachelor of Business Administration from Emory University’s Goizueta Business School.

Jodi's Linkedin ProfileJodi's Facebook Profile
Show more Show less