The best way to keep information is not to have it: GDPR expert on personal data collection best avoided


Siarhei Varankevich, CIPP/E, CIPM, CIPT, MBA, FIP, gave an interview to, in which he told why it is better for businesses to avoid collecting personal data and what to do with the ones already owned.




In the pursuit of leads, marketers have learned to collect so much personal information that it has become toxic through abuse, leaks and ineptitude. People are less and less willing to share “personal” information, and the level of distrust in those who ask them to do so is increasing.

Siarhei Varankevich considers himself to be one of those professionals who approach security issues from the position of respect for privacy. He is for the ethical treatment of personal data at the startup of a business, in order to avoid critical situations such as leaks.


The best way for businesses not to lose information is not to have it, says Siarhei.


Well, this is impossible,” object marketers, business owners, collectors and sellers of leads. We live in a time where personal data is collected by anyone and everyone. Siarhei calmly replies that in many cases collecting personal data on clients is unnecessary. You can do without it or minimize it to solve specific problems, nothing more.

– Of course, it makes sense to have contact information from the client to be able to contact him, especially if the person has shown interest in the product,” says the specialist. But there is absolutely no need to know his date of birth, second email account, or place of residence.

This information is considered superfluous and toxic by Siarhei, his colleagues working in the field of personal data protection, as well as by the law. Marketers are likely to disagree with them. After all, for example, knowing the location allows for clearer targeting or outdoor advertising. And birthdays – an excuse to once again remind about the product specials.

– Yes, marketers will argue with me, and they would be wrong. Because in the long run, they and their customers want to have loyal customers with a high level of trust. But so far we are moving towards the abyss that undermines this trust”, said Siarhei Varankevich.

People, realizing how much can be done with their phone number or address, are less and less willing to share it. In most cases, they do not want to receive birthday greetings from unfamiliar people or brands. If only because these greetings are insincere and serve the sole purpose of selling something.


When a person’s privacy is often violated in this way, they stop trusting even those who did not intend to do so.


Personal data laws are not about getting in the way of business. On the contrary, they help to restore trust in business. And to do this, you need to give the individual confidence that their personal data is protected and will not be misused. It is important to keep a person in control of their data. Then they will be more willing to share it, rather than getting nervous every time their name or contact number is asked for.

In 2015, studies in the European Union showed that businesses lose about 60 billion euros a year precisely in situations when people are worried about their personal data and refuse to buy.

Thus, according to Siarhei, in the short term data collection pays dividends, but in the long term businesses and marketers lose out. Globally, trust in digital business, economics and services is being undermined.


How do you set the limits to the size of data to be collected?


– The general and cardinal rule is to take exactly as much data as you need to achieve your particular goal. Say, what data do you need if you are holding a seminar or conference? To invite people to it and reset the link to the broadcast is enough one e-mail. If you have another purpose – to sell your services, and so you conduct a seminar, it is enough to ask people about their interest, so as not to bother them unnecessarily, – recommends Siarhei Varankevich.

People have different ways to protect themselves – fake numbers, fictitious names, additional accounts that exist solely for the purpose of registering for events, getting checklists and discounts. Siarhei advises to ask yourself a test question, what happens if the person fakes their data? Will I be able to provide him or her with a service or not?

For example, whether you can invite someone to your event, pointing out their name as Arnold Schwarzenegger? Of course you can. So, you can either not ask for a name at all, or make the input field optional, or allow a person to name himself or herself as he or she wants to be addressed. In this case, the digital security of business is ensured by getting rid of risky assets in the form of redundant information, for the safety and use of which it is responsible.

Siarhei Varankevich calls excessive personal data toxic for several reasons. First, abuse: the more data, the easier it is to manipulate. And misuse causes mistrust. Second, the laws adopted in democracies entail serious penalties for violations of personal data protection. Therefore, the specialist advises you to carefully consider the ways to achieve your goal and if it is possible to achieve it without collecting personal data, you better choose this path.

– If you need to find out whether the person is 18 years old, then ask them about it, rather than asking for their date of birth. Excessive accuracy in this case creates risks. So, to answer the question of where the line is between redundant information and necessary information, I would say it lies in the proper formulation of your goals. In the end, you can always obtain additional information about the person with their consent,” says Siarhei.

If you want to congratulate the client on religious holidays, ask for prior consent and clarify their religion. There may be people who want to receive congratulations on Hanukkah, Passover or Ramadan from you, but most will probably refuse.


Of course, digital ethics, respect for privacy is a good thing. But for a long time now, masses of data have been collected about us, and it is unclear where and how they are stored. In addition, managers increasingly want to know as much as possible about the behavior of their employees during working hours. What to do about it?


– I see a trend that the situation is significantly changing. Weekends in factories and plants and the eight-hour workday didn’t appear all at once, either. Someone started first, even though it was out of step with the norm at the time. And then everyone in the market followed suit. Now there are more and more new laws, and they are getting stricter. And it’s no longer just a matter of ethics and fairness. There are laws and regulators who enforce them. And this sets a new trend,” says Siarhei.

Now it is not fashionable and even disgusting to spy on your employees. At least in a democratic society. Ten years ago, Siarhei recalls, an employee would have no questions if his or her boss checked his or her work laptop. But today the stories about how the company uses software or devices to monitor its employees are increasingly being heard in courts. And the decisions are usually not in favor of the companies.

– If we talk about surveillance and monitoring the actions of employees, you have to understand that when you come to work, people don’t stop being people. They have their personal life, circumstances and communication, which can intrude into the working hours. You can’t be in business without creativity, and creativity needs a certain degree of freedom. And such an employee is more beneficial to the employer than a mechanical performer. The rules of working relationships from the industrial era are no longer effective in the new reality,” says the digital security specialist.

Surveillance undermines trust, and salary is not the only motivator to go to work. Corporate boundaries today are shifting towards more trust and, accordingly, the degree of freedom for employees.


What about those who already have a lot of other people’s personal data?


Siarhei is convinced that you cannot do without setting up processes in the company, introducing technical measures and staff training. Employees must understand what information requires special care, and what information must be timely deleted. Clear rules for using, transferring and deleting information are necessary.

Data tends to accumulate. And if it contains a lot of sensitive personal information, it turns into a nuclear waste, which in the case of leakage or loss can cause irreversible damage to clients and the company.


What companies are interested in the protection of personal data?


Based on examples of his customers, Siarhei says the demand and need for privacy, customization and adaptation of applications and products to the principles of personal data protection is higher in the European Union. This is largely due to laws enacted there and the demand for personal data protection among the population. The fact is that the citizens of the European Union are under more pressure due to the constant hunt for their data. They are more solvent and therefore of interest to businesses and fraudsters around the world.

– The demand and awareness of privacy among Americans and Europeans is not determined by education or culture, but by the frequency and depth of the problems people face in this area. Small and medium-sized businesses from the European Union often come to us and ask to develop privacy for them, not only because of legal requirements, but in order to increase the level of customer confidence. This allows them to earn more money and even increase the price for a product that is good at protecting their users’ data. Another reason is that European customers or partners refuse to work with a company if it does not address the issue of personal data protection in accordance with European standards. They require compliance with GDPR and correct handling of personal data, otherwise they refuse to work.


The course is loading, wait a few seconds