thinking foundationally about
data security and compliance –
blog 3 in the data-first
thinking series
In this series I have been outlining Pivotl’s emerging Data-First Methodology; designed to support complex organisations enable greater outcomes with their data. In the previous blog I focused on the first principle of Data-First Being deliberate with data.
I outlined the ways data can improve an organisation while focusing on the importance of engaging the wider organisation in identifying what these benefits would look like in a specific area of the business. The success of the Data-First organisation is measured on the impactful use of data-based solutions to overcome business challenges and opportunities. This must be owned by leaders across the organisation, with business wide engagement in deliberately identifying what data needs to achieve across the organisation.
The outputs from the process of Being deliberate with data are an essential prerequisite to successfully applying the second principle, be foundational with data. By engaging the organisation in deliberately identifying what data investment will improve and why we can then make informed value judgements about how to lay the right foundations to enable this.
Data-First is underpinned by the following four foundational building blocks. However, the strategic what and why must be applied to effectively inform every decision an organisation makes about each building block.
The four foundational building blocks of Data-First thinking.
This blog is dedicated to the most important foundation block: Security and Compliance. (I will address the other three blocks over the remainder of this series of blogs.)
Nothing will put a brake on the data ambitions of an organisation quite like a publicly recognised misuse of sensitive data, or repeated failure to meet compliance requirements. Falling foul of the Data Protection Act 2018 is humbling experience. One that can result in a fine of up to £17.5m, while case law is growing making the award of damages where data has been misused an ever-increasing likelihood. Regardless of fines the experience of investigation alone is one that undermines the confidence of key stakeholders within the organisation in question to attempt to be more ambitious in the use of data.
Fines and organisational disruption through legislative process have been significantly higher in the U.K Private Sector to date. However, in public service organisations that are privileged to access DPA 2018 gateways to process data, security and compliance breaches have been hugely embarrassing for their leadership and have been rightly seen to directly undermine public faith in key services.
Security and Compliance must always be the first foundational block of the Data-First organisation. Quite simply, to continue the privilege of working with sensitive data the organisation has to demonstrate a continuous application of appropriate risk management in all data activity at all levels at all times. There is no ability to eliminate all risk when it comes to data processing. However, if the worse happens, an organisation must demonstrate its management of data processing risks were entirely appropriate and reasonable.
This is where the prerequisite of establishing the specific needs of the organisations data as part of deliberate strategy is essential. How can any organisation ascertain its level of risk appetite and exposure without being able to know what the benefits of specific data processing activity are? When seeking compliance assurance for a new way of processing data from an IG specialist, if the importance and relevance of why data needs to be processed can’t be articulated, the specialist should only ever advise that the data should not be processed.
By understanding the breadth of specific data processing needs across the organisation, risk management solutions that can be standardised and scaled through platforms, processes, policy, skill development etc can start to be designed. By putting compliance first the organisation can design in efficient ways to meet its obligations to manage the sensitive data it holds on behalf of people such as automating subject access requests or anonymising, obscuring or deleting data. These activities don’t have to be a reactive manual burden, they can and should be baked into solution design enabling a truly efficient centre of data excellence to emerge in an organisation.
Compliance and security measures become increasingly costly and disruptive to deploy when an organisation has to retrofit them into a poorly designed data architecture and operating model. Nearly all organisations know this, as the legacy they have been living and suffering with, but are beginning to replace and upgrade into something fit for a Data-First future.
Building a new enterprise architecture and operating model is a once in a generation opportunity to efficiently and effectively accelerate the organisation’s management of sensitive data.
It’s still very early days for Data-First working in large complex analogue era organisations. However, where early success is happening Information Governance Leads are always positively engaged from the outset. They want to see the organisational capability and data maturity grow. They know the organisation needs to increase its data processing capability and capacity to survive and thrive. They want to help make this happen and will get on board always with the right foundational approach.
My colleague Jess Figures wrote a great article about leaving your digital baggage at the door when approaching data. Nowhere is the need to design and deploy enterprise-wide capability in scalable solutions and approaches than in Security and Compliance. Without this thinking front and centre in all data approaches organisations are doomed to live out what exists today – burden, disruption, fear, delay even paralysis. Through a foundational approach the organisation can turn its security and compliance investment into a true organisational enabler. This is, believe it or not the underlying intention of GDPR and Data Protection Act 2018. If we all work with sensitive data securely and compliantly then we can do great things with it.