Over the past year we have seen, predominantly because of the implementation of the applied GDPR (introduced using the Data Protection Act 2018), a large increase in understanding about personal data. However, there remains perceived barriers in relation to how personal data can be used within today’s digital society
As a result of this perception, we’ve seen public sector organisations feeling that the law stops them from sharing personal data. This is a crucial area to address as we’re moving towards an Internet first and a Cloud native strategy within public sector.
Is the challenge just the GDPR?
Understanding what processing is permitted with personal data (as well as what is not) and how that ties that in with appropriate governance, is an increasing challenge for organisations. This challenge is not just for personal data though, which only contributed a small fraction of the £364m in fines during 2017/18. Moving forward, the fiscal impact of failing to provide effective governance is just as likely to be due to the Network and Information Systems Regulations 2018, which came in just prior to the Data Protection Act 2018.
Those organisations who stopped after attaining “GDPR compliance” in Q1 2018 yet haven’t heard of the GDPR security outcomes or looked at the NIS guidance collection (or NHS England Data Security Standards) are likely to find themselves at the bottom of a steep learning curve; especially if they are merely addressing compliance requirements that don’t form part of a governance strategy.
Are we undertaking governance or reacting to compliance?
The need for an effective governance strategy is one shown by the results of recent studies which shows that only 5% of organisations align to the NCSC Cyber top ten, and 56% of organisations invest in Cyber controls after a high-profile breach rather proactively select solutions that meet their needs. In short, industry (and their customers) are effectively self-diagnosing symptoms and buying treatments off the shelf. Just as it is better to seek the advice of medical professional, it is advisable to understand what is causing the issues that are being faced and address those issues with a sustainable cure.
If organisations are to evolve beyond reactive unbudgeted spending, they are going to have to look beyond technology and look at the information flowing within their organisations to inform their governance. Many of the organisations I speak to believe that they are prevented from sharing information as a result of their GDPR compliance programmes, which conflicts with legal requirements for sharing personal data (e.g. within healthcare, social care and criminal justice).
Was the opportunity of the GDPR lost?
I wonder how many of the organisations looked beyond personal data and the requirements of the GDPR when they reviewed their systems? Those that didn’t are likely to have missed the opportunity to understand the requirements of the approximately 65-100 laws that govern their information management just from the type of organisation they operate, a figure that grows to over 4,000 when you start to look at activities undertaken in areas such as mental health and safeguarding. In my experience, few organisations can name more than 5 laws that they have to comply with regarding information management so there is real challenge to be addressed.
Those that have looked at beyond the requirements of the GDPR within their programmes will see more understanding of information within organisations, not just the need to protect it, but also the need to share it and how they use it. My experience with the legal requirements for handling information can be summarised into the following areas:
• the location of the data (how do you know where it is being stored, or if it has been deleted?)
• the format of the information (what is the asset?)
• the disclosure requirements (can you share it, and what are the requirements?)
• the retrieval requirements (the retention period and can you access the information throughout that period?)
• the handling requirements (does it need encryption, where can it be accessed from, what right of audit is there?)
• the usage requirements (what purposes was the information acquired for, how do you provide evidence that you meet those requirements?)
What’s the benefit from addressing the opportunity?
That level of understanding is going to allow organisations to manage the risks when they talk about disruptive technology such as Cloud and smart cities. Governance of information also aligns with the application-centric strategy of government, where the GDS white paper that talked about the Internet being okay. Looking beyond the headlines, there’s much to commend from the principles and the linkage into the network principles.
Understanding the information means understanding what levels of service assurance is required, something that is increasingly important as we become more reliant on Cloud services and outages to the service or the connectivity to it has more impact to operations. Understanding what you don’t know is part of the journey to adopting disruptive services. moving to quantify these areas and improve understanding allows informed choice for the consumer.
Summary
Greater levels of understanding lead to being better placed to to safely adopt these technologies that people are often wary of, as they’ve been taught for so long that they have to keep things secure behind big walls. The reality of life is that this approach is no longer sustainable. We’re seeing more progress towards security at the application layer, rather than relying on the network. However, if you don’t understand information that’s flowing across those services and applications, how can you really get the best out of those technologies?