Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Top 5 ways to mitigate the risks of collecting data - Annual review 2015

16 Oct 2014 United Kingdom 3 min read

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

This article is an extract from our Annual Review 2015.

How can organisations mitigate the risks of collecting vast amounts of data without missing out on the opportunities?

1. Privacy by design

One solution is anonymisation or, if possible, pseudonymisation. Steering clear of collecting identifiable data minimises risk. It might not eliminate risk, because building a profile amounts to processing regulated personal data in some jurisdictions.

However, it will still help to smooth paths with customers and regulators if data has been gathered in a non-personal way, given that in the event of a breach the risk of harm to an individual is much lower.

2. Try to future-proof

It is hard to predict the future, but clever wording can help. Companies should try to find the right description of purpose for their data-processing activities: one that is specific enough to meet legal requirements but leaves room to manoeuvre in the future. Avoid, for example, stating that data collected will be used to send emails; saying 'electronic communication' allows greater leeway.

3. Don't add restrictions

A bad privacy policy is one that adds restrictions on a company for no purpose and doesn't add any transparency for the consumer. Avoid saying "we will ask for your consent before processing data for any other purpose" if it is not universally required.

A better policy tells consumers what a company will do with the data - not what it won't. More enlightened brands are using a layered approach. In addition to the general privacy policy, they will describe in a short passage how data will be used whenever specific fields are collected.

4. Use less data

When designing processes and launching new apps, companies should ask: "What is the minimum amount of data we need to achieve the desired result?" This makes sense from both a regulatory-compliance and financial point of view. Managing and housing large amounts of data is expensive, particularly in the event of having to comply with disclosure obligations in litigation. There needs to be a legitimate business reason for collecting the data. If it is not going to make money, don't bother.

5. Find out who is collecting what

The biggest internal challenge is understanding what data a business has. What is important for the business? What must be kept confidential? Who has access to it? Who is it shared with? Data scientists claim that there is no value in keeping data beyond six months. When conducting data analytics on a consumer, a statistically significant dataset can be built up within a quarter, with all the right consents.

There is a caveat: data must not be deleted before checking whether there is an overriding obligation for it to be stored - for example, for book-keeping requirements or tax returns, or if litigation is ongoing.

Click here to view an electronic copy of our Annual Review 2015.

More insights
Public Procurement Data Protection & Freedom of Information Competition and Cartel Investigations

Explore more

Event United Kingdom

IP Insights webinar series 2026

28 Apr 2026
Publication United Kingdom

Procurement Cube

09 Feb 2026 5 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.