Who's your Chief Data Minimisation Officer (CDMO)? A Thought Experiment...

Imagine this. You’re at a barbeque. And someone asks – So, who’s your CDMO? You say – Our what? What’s a CDMO? Your new BBQ mate says – Ah… CDMO stands for Chief Data Minimisation Officer. Doesn’t your company have one? You respond – Ah, no... So, what exactly does your CDMO do? With a bemused look, your BBQ friend replies – Well, they manage our data assets, review data inventories and ensure that any data, if it hits its use-by-date, gets destroyed, or temporarily stored in low-cost encrypted platforms.

That’s when your BBQ buddy starts thinking – What kind of company does this person work for? They’re setting themselves up for disaster, especially with data breaches, along with fines from the Privacy Commissioner. That’s not to mention the hordes of angry customers and their class action lawyers who point out that their clients stopped being a customer ten-or-twelve years ago – and they really don’t appreciate having their personal data up for sale on the Dark Web. And what about the brand damage when the community realises that this person’s company suffers from DHD or Digital Hording Disorder? They’re also on the road to ruin during litigation, when the company realises that it’s retained 10,000 documents, but they were only (legally) required to hold on to ten. Plus, they’ll need to pay huge legal fees for lawyers and an army of AI-augmented paralegals to sort through this digital haystack to identify the relevant needles…

For those of you who didn’t Google the term, the AI prompt tells me that ‘the CDMO is not a standard, widely recognised job title or role.’ Not yet at least. It’s just a thought experiment. But considering the scenarios I just described, shouldn’t there be one, or something like a Chief Data Minimisation Officer? Most organisations would likely say – We’ve got a CDO, CTO or CIO. They cover off those issues with our CLC, who reports up to the CFO and the Board’s Risk Committee. What’s the problem with that, beyond having to decipher all those C-suite acronyms? 

The problem in nutshell is that most organisations think they ‘have it covered.’ But based on repeated feedback from data-and-analytics professionals, ICT and cybersecurity specialists, most do not 'have it covered.' That's also the constant theme highlighted by experts working with data scanning and classification apps. It’s their bread-and-butter to help organisations identify, quarantine and destroy data that’s passed its use-by-date. However, the simple fact is that most organisations are playing catchup when it comes to identifying datasets through structured inventory processes or taking the ultimate step in the data life cycle. That is – destroying data when it’s no longer needed. The additional risk is that organisations are often playing catchup after their worst-case scenarios have eventuated, i.e. with a data breach.

The obvious question is – why do we continue to play this game of catchup? The answer appears to be that most Australian corporates, public sector agencies and other organisations’ default mode is to retain everything. But why is that the ‘default mode?’ Through my own experience and anecdotal evidence, the answer seems to be that organisations would much rather ‘get on with it,’ meaning they want to focus on their actual business and policy objectives, rather than sorting through hundreds of records-and-data retention obligations. Better to assume that ‘it’s covered’ than tackle this seemingly intractable problem, much less pay lawyers and records staff to implement those rules. And who would blame these organisations for taking the simple route, especially when storing data is a low-cost alternative? Well… 

On that low-cost point, data storage may appear to be inexpensive, but it's not if an organisation continually ‘racks up’ (bad pun, I know) massive storage fees because the default is to retain everything under the sun. With larger organisations retaining growing terabytes of data month-on-month, those storage fees and digital assets begin to grow exponentially, meaning costs can run into the millions. And then there’s the environmental impact. As flagged in my article ‘AI, Energy, National Security and DeNiro,’ hoarding data and especially AI-driven data comes with huge storage and energy costs.

Now, let’s turn our minds to the furious clients whose data ended up on the Dark Web. And that's despite them moving over to another supplier of electricity, gas, mobile phone and other services ten-or-so years ago. Their next stop? The Privacy Commissioner, complaints and investigations. Under the Australian Privacy Principles (APPs), APP 11 requires organisations to take ‘reasonable steps’ to safeguard clients’ personal information. With the recently enacted privacy reforms under the Privacy and Other Legislation Amendment Act 2024, APP 11.3 was amended. Organisations are required to take reasonable steps to secure personal information, including “technical and organisational measures.” 

Those technical measures would likely include ICT controls, cybersecurity and network architecture, along with training-and-awareness, reviews and audits – and the list goes on. In fact, a very good starting point for that list can be found in the Office of the Australian Information Commissioner (OAIC) Medibank Private Federal Court Filing. My colleague, Eloise Willis’ article provides an excellent, high-level summary of the key OAIC recommendations. Those recommendations include a series of practical and technical controls that organisations should seriously consider implementing – or at least some of the key ones. Front of mind for me? Mandating the use of multifactor authentication (MFA) when staff log into organisational platforms from insecure Wi-Fi networks – or requiring MFA when accessing sensitive datasets.

What about your organisation’s governance body – the Board of Directors and Advisory Committee or Shareholders Minister? They will undoubtedly be asking questions about approving the payments of regulatory fines for not having appropriately secured data sets and personal information. The same holds true when boards and executives are asked to approve extraordinary payments to forensic, cybersecurity and legal teams to contain data breaches. Plus, there’s cleanup costs, which can far eclipse the immediate data breach containment expenses. And let’s not forgot the huge discovery bills when your organisation is being sued and they need to roll out those AI-enabled paralegals.

If our hypothetical CDMO is sounding more-and-more attractive – good. While this is just a thought experiment, there may be merit in establishing something like a Chief Data Minimisation Officer function. This theoretical CDMO could help organisations navigate competing retention regimes, reduce the risk of data breaches and adhere to the Privacy Commissioner's pronouncements about not retaining unnecessary data. Like the Marie Kondo of the digital world, CDMOs would be empowered to declutter and apply data minimisation principles, coordinate stakeholders and other C-suite executives. CDMO functions could also use AI tools to create an effective framework to destroy records or put them safely beyond reach with encryption and other techniques.

So, is the CDMO a pipe dream, a possibility or even a necessary function? For the record, I used the term ‘CDMO function’ on purpose – and not to suggest that organisations should add another ‘C’ to their C-suite. Arguably, the CDMO function could be spread across C-suite positions, like CIOs, CTOs, CDOs and CLCs. However, there are inherent challenges with ‘managing by committee’ and achieving actual outcomes when KPIs are shared. That’s especially the case if KPIs are linked to bonuses and remuneration structures.

However, a simple way to rationalise one’s corporate existence is to convert your position from being an expense or liability, to one that generates revenue. And how does that apply to our theoretical CDMO? The CDMO ‘function’ could rationalise its existence by pointing to the terabytes of data that they eliminated. Those terabytes can represent significant savings – and in the millions of dollars. That’s not just good news for a company’s bottom line, but it can make an impact on the environment and in reducing your organisation’s carbon footprint. In a nutshell, we’re talking about ‘CDMO game wardens’ becoming poachers, but poaching here represents a worthy cause, like being a foundation stone in an organisation’s efforts to mitigate data breach risks. 

My firm, Synergy Law is here to help organisations think through ways that they can reduce the risk of privacy breaches by applying simple-but-effective data minimisation techniques that consider the entire data lifecycle. That’s why the ‘CDMO thought experiment’ should be more than just an experiment, it could be put into practice and operationalised. On 17 June 2025, I’m going to be speaking at the Gartner Summit in Sydney about privacy, data minimisation and reducing risks through techniques, like having a CDMO function. Hope to see you there!