There is a lot of absolute rubbish being published about the demands of the impending General Data Protection Regulation (GDPR) and its impact on both the public and private sector. I am going to try not to add to this.
What does seem to be the case though is that the chickens of historically poor information management practice are coming home to roost.
So, if you’re stuck with what you’ve got and are wondering where to start, we have developed this simple-sounding five-step approach for you:
- Know what you’ve got.
- Understand the risk.
- Implement risk mitigating controls.
- Embed risk mitigating controls.
- Monitor, report and improve risk mitigating controls.
Simple? Obviously not.
For us, the key issue is a cultural shift from autonomy to act dispersed across an organisation, to effective management control. It is impossible for the Information Governance (IG) team, typically one person, to try to retrospectively discover what an organisation is doing. Their only tool – to ask them nicely.
Our view is that, before a new or changed collection or processing of personal data takes place, there should be a management assessment. We are not undiscovered geniuses having a Eureka moment, this is what is required by GDPR.
We think there is a rapidly closing window of opportunity to achieve this cultural shift. We are working with a number of clients to deploy the Flowz software (www.flowz.co.uk) about which we wrote in our last blog. Whilst we may think it is the world’s greatest software, the return on investment comes in embedding it in your approvals process.
One of our clients has taken the opportunity to get on the front foot.
They have told their staff that there is an amnesty between now and Christmas to register whatever personal data they are processing. If they do that now, the team will support them.
If they wait until after Christmas, they have been told they will not get the same level of support. This is largely because we expect the IG Team to still be clearing the backlog resulting from the pre-Christmas requests.
What clinches it, is that management are supporting a line that, if any manager is caught processing unauthorised personal data, they will be subject to disciplinary action. All proposed uses of personal data must now be registered in Flowz, and receive approval, before they start collecting and processing the data.
This is not an original idea (plagiarism is the greatest form of flattery), but arose from a conversation with the MOD Research Authority, who were horrified when I suggested they might be seeking to use Flowz to retrospectively capture personal data. No, all processing must first be approved – a lightbulb moment.
We now encourage all of the organisations we work with, certainly where they have already appointed their Data Protection Officer, to take this approach.
David Stone (October 2017)