I have had to a lot of personal information requested by different businesses over the past few weeks. Some of it was for credit card payments, some for insurance, and some other legitimate purposes. It was interesting to find the number of businesses that requested unnecessary personal information because that is the way it has always been done by their company.
Take, for example, the company that I am having move some boxes for me. After they loaded their truck I was pleased that they took my credit card and swiped it through a (PCI compliant) wireless device. After signing the receipt, I was presented with a second piece of paper to sign on which the driver had listed my credit card number, expiration date, and the security code. The driver had no idea why the office asked for this extra document, so we called them. Their process always collected the information and never stopped when the wireless device was introduced even though the secondary collection was no longer necessary.
Later in the week I visited a medical professional’s office for the first time. Their first-visit questionnaire asked for my social security number. Why? At one time this was used as a unique identifier in their systems, but no longer. When the application requirements and processes changed, the form never did.
There are other examples but the point is the same. In every case the vendor, usually an SMB, had improved their technology, but never reviewed their processes to see if they still needed the personal information they were collecting.
When technology changes, you have an opportunity update your processes to reduce the information being collected. Continuing to collect information, which now provides no value to you , incurs costs for the collection, protection, and proper destruction of that information without any benefit. You are also missing an opportunity to reduce risk of a data loss that may need to be reported.