Accessability Links

Blog: GDPR – It’s a data management problem

19/04/17

 

Personal data includes any identifiable data – IP addresses, cookies, telematics data and even the genetic code of an individual. Based on our own experiences here at Capita, our approach focuses on the principles of undertaking business and servicing your customers and members of the public in a way that demonstrates a positive and outcome based approach, rather than just legislative compliance.

If you take a step back from the complex aspects of the regulations, the implications and necessary obligations of the regulations are simply a spotlight on a number of interconnected problems and issues that organisations are grappling with:

Trust & Integrity: We would all have a dim view of any organisation that wasn’t transparent in the manner in which it derives data, collects and uses that data. It leads to all sorts of questions about the authenticity, relevance and accuracy of that data, if it hasn’t been derived without the consent of the individual; or possibly derived from sources which are unknown; or at least have not been evaluated and measured against your standards of trust and integrity and the way you do business.

Retention: In this digital world where data is now measured in petabytes and beyond - collecting, managing and analysing erroneous, outdated personal data has major implications for the overheads, cost of ownership and subsequent outcomes and quality of service being provided. This exponentially increases the risk exposure and downstream liabilities.

Risk and Liabilities: Is there is an organisation or individual who is not utilising a cloud application provider, a third party services organisation offshore, or an external hosted data centre? All of which have major implications for the possible loss of intellectual property, liabilities for misuse and the commercial value and risk that your organisation are accountable for by using these third parties. To highlight the consequences and implications of this issue, if you were thinking of seeking remedial action outside of the EU, then consider that India currently has 20 million pending civil cases. While the high courts have over three million under appeal your contractual liabilities in relation to data misuse and fraud must be reviewed in the context of the local conditions of your externally appointed data processors.

Access, Auditability & Control: The proliferation of personal data across your organisation and externally to it, for example marketing, sales forecasts, purchase ledgers, customer mailers, test and quality assurance extracts. All are sitting in sub folders, excel databases, SharePoint environments, Google drop boxes, etc. These all have a major implication for your IT department and their ability to control and monitor a situation known as the ‘shadow data’. This is data not sitting within the controls, auditability, and processes of your IT organisation and this is where 90 % of data breaches occur - in the 'shadow data' environment! If it isn’t part of the main data environment then erasing it, amending it and securing it, is going to be a very difficult if not near impossible process to evidence and undertake.

Security: Insecure and undefined access is by itself a time bomb ticking away within most organisations. It could be through malicious intent or probably more likely, the simple act of leaving an unsecured device on a train, a good example of which is the 24,000 lost items last year logged by Transport for London (TfL). Recent fines have been applied under existing legislation to a major retailer for just this situation. But the answer is simply not to lock down all your devices, but ask why was that personal data on that device in the first place, and what is the process to assess the risk of such an incident? 

In recent surveys, less than 13% of respondents had any formal incident management plan to follow in situations such as a lost device or more worryingly, the detection of a data breach or cyber-attack. Under the regulations you only have 72 hours to notify that a breach has occurred and you need to detail the event and what remedial action you have undertaken or plan to undertake.

Now the level of compliance you deliver will be based on the amount of risk you as an organisation are prepared to accept. That is why there is no such thing as a standardised template for compliance. The implications for a recruitment agency is far less than a financial services organisation, for example holding child related records within your systems or personal bank details has far more consequences than a logistics company with delivery address details.

Trust and integrity are at the heart of what Capita does and what our customers expect from us. Therefore, we believe companies should not try to attempt a knee jerk tactical solution or specific regulatory compliance quick fix, but understand that this is a Data Management problem that can be addressed with the correct application of methodologies and oversight. 

'if it isn’t written down – it didn’t happen'…. that is an underlying premise of the GDPR regulations - documentation, process and evidence of how they are applied. If we look at a component I would call Architecture, we begin to understand where the data is, where it came from, where it goes and subsequently we can adopt technology solutions and apply structure, oversight and accountability to the areas of control, security and usage.

This needn’t been a massive project. For one of our clients, the best strategy was to adopt the 80/20 rule by focusing this approach on their main business systems. All of which leads us to GDPR and how to align this approach to that big elephant in the room. By applying these Data Management techniques against the GDPR requirements, just as we would any business requirement, we will start to answer some of those fundamental questions we are asking ourselves and our customers.

In other words, if we can map the data we know where it has come from, what sources and we can therefore address the issue of consent. We can then develop systems, controls, privacy data notices and repositories linked to the data.

If we know who has the data, where the data is, how is it stored etc., we can address control and security, rectification, erasure and so on. To highlight the importance of this, in a very recent exercise we conducted for one our financial services clients, the end result identified that 54% of the existing application landscape would fail to comply with the General Data Protection Regulation (GDPR) Article 17 - Right to Erasure.

Subsequently, we can define an appropriate solution or as it is commonly known, A Target Operating Model. This is based what we now know about our data environment, and the GDPR requirements which should be supported by the initial step of the Data Protection Impact Assessment that may have already, or needs to be undertaken.

GDPR is the business opportunity to solve a significant business problem AND be compliant. With an approach that addresses the overarching issues the GDRP regulation with good Data Management techniques, it is an ideal opportunity to demonstrate genuine business value by the streamlining of processes, systems and environments. Creating a vision and strategy going forward as to how you will work with confidence and minimise risk to your organisation in the way you handle personalised data. GDPR is a reason to do this, but NOT the only reason.

Add new comment
*
*
*
Back to Top