Part 2 - Positive ripple effects of adopting the GDPR
The number and severity of the risks in the organisation that are the subject of the assessment, shrink almost immediately without any formal action being undertaken on the results of the assessment. This may sound like witchcraft, but the effect, once analysed, can be explained.
Those people within the organisation who are likely to be involved in the assessment perform a rapid informal assessment themselves, and actively manage risks before the assessment takes place. This is sometimes done subconsciously, but the effects are apparent and often obvious. Dealing with the easy wins and ‘low-hanging fruit’ can make a significant difference to your risk profile.
A similar effect occurred during the preparations for the much-hyped Millennium Bug. The analysis needed to provide assurance that the ‘Bug’ could be handled gave one of those rare opportunities for management to study, analyse and optimise their business processes and data stores. GDPR offers the same opportunity.
Rather than facing the incoming regulation with trepidation, it provides a real opportunity to get one’s house in order, and maximise the effectiveness of your business processes. It also sheds light on hidden processes, which often involve such practices as local hoarding data for analysis by common tools such as Excel. Such informal processes increase data redundancy, introduce real risks (such as multiple unregulated copies of personal information), and expose your organisation to potential regulatory threats, such as a vigilant ICO!
I recall one situation when various Excel data files were discovered in shared storage that in themselves were relatively harmless. In this organisation, it was very important that some staff were able to conceal their home addresses. One file contained names, dates of birth and sundry other information – but no addresses. Note that it included staff numbers, which were unique to individuals. Another file was found that contained personal addresses, but none of the personal information found in the other file. However, it also contained staff numbers. It would not take much effort to combine the two - and use the aggregated file to discover identities AND personal addresses, exposing those who’s information was deemed sensitive.
One of the first steps that needs to be done when addressing GDPR is to find out what personal data you hold, where it is, and what it’s used for. If done well, such ‘data mapping’ will identify issues such as the example used above, and help reduce risk immediately. It can also indicate that you may have a business processes problem, in that you’ll need to know WHY your staff acted in this way. Perhaps you have access or performance problems that drive people to hoard personal data locally. Remember, people want to get on with their jobs – if there’s something holding them back, they’ll often find a way around it.
The GDPR Awareness One Day Course ‘Making Data Privacy Matter’ from APMG can help set out how best you can begin dealing with the incoming Regulation. Although compliance is mandatory, don’t forget that there are real, tangible and often unexpected benefits from good practice.