20 years ago today, part 5: Why do I need data privacy?

This post is a continuation of a series of reminiscences and predictions on all things
information management, to celebrate 20 years of Metataxis.

Twenty years ago, managed privacy of your data was a vague hope. We were all at the mercy of a mushrooming number of online providers (some well-behaved, many not). A whole generation grew-up with social media where openness was the norm. That generation then realised what we old-timers had been saying: that such openness was not always good. The world noticed these concerns and government bodies took action. And from the EU, GDPR was born.

20 years ago today, part 8: Strap on your jetpacks

This post is a continuation of a series of reminiscences and predictions on all thingsinformation management, to celebrate 20 years of Metataxis. Let’s now look to the future… Guessing what the future will hold is easy, guessing right is hard.

Read More »

Metataxis now on G-Cloud 12

Metataxis are pleased to announce that public sector organisations can again access our services through the latest G-Cloud 12 framework.

Cloud services, such as O365/SharePoint Online, require careful planning, design and governance to be successful; however all too often this is just seen from a technical perspective rather than one based on the information and the user.

Metataxis can help organisations meet these information management and information architecture challenges that make the difference in being able to support long term adoption and deliver real value.

Metataxis offer a number of services on the G-Cloud:

  • Information Governance & Assurance
  • Information & Knowledge Management Strategy
  • Content Migration Services
  • GDPR Compliance Services
  • Information Architecture Services
  • Information Discovery Services
  • Information Management Services

    If you would like any further information then please contact us.

  • Lessons from West Wing for GDPR compliance

    What now seems an age ago, there was a TV series called West Wing telling the story of President Bartlett and his White House staff who were capable of wisdom, bravery, some pretty good one-liners and glam frocks, who were on a quest for human aspiration, despite frequently revealing themselves as flawed human beings.

    In the episode ‘A Proportional Response’ President Bartlett is battling the desire to order retribution on a vast and violent scale following a Syrian attack on a US helicopter which killed several Americans, including a young, new, father Bartlett had befriended. But, instead, the President is talked down by his Chief of Staff, Leo McGarry, to taking a response that is proportional to the situation, rather than smiting the earth in fury.

    A response in Leo’s words, ‘It’s proportional, it’s reasonable, it’s responsible, it’s merciful.’

    And so what is the relevance of a ‘proportional response’ to GDPR compliance? To align with GDPR an organisation needs to strike the right balance between over-reacting and, yet, still addressing what needs to change.

    After all the pre-25 May GDPR hype and headlines, and the deluge of consent emails flooding our inboxes, followed by…well…not a lot, really. It almost feels like we are still waiting for ‘it’ to happen. Or that ‘it’ will never happen. That it was all just hype; yet another Y2K fizzer.

    The very tempting ‘proportional response’ to this is to do exactly nothing. To pat ourselves on the back that we weren’t taken in by all the dark threats and headlines, and to go on our merry way, scattering personal data about like confetti at a wedding.

    But don’t be fooled.

    The ICO has been busy. The penalties to date are mostly still under the previous legislation. The investigative process takes time – and it’s only been five months.

    Whatever ICO decisions are downstream, what matters for organisations about data protection is what has always mattered. It’s an opportunity to do business better by aligning with the new regulations. That’s what a ‘proportional response’ is; one that makes sound business sense in the long term. It’s not just about fearing the goblins that live in dark data, or of the avenging angels.

    Taking a ‘proportional response’ to your data protection is about gaining positive outcomes along the way to compliance. Organisations will eventually save money they didn’t even realise they were wasting. They will gain insight from joining up data that they never knew they had. And should the worst case happen, they will be in the most resilient position possible to be able to handle such an event.

    A proportional response requires you to understand what your risk profile is in terms of the personal data you control and process. You need to know what personal data you have, where it is and what could possibly go wrong? What data and systems should you be focusing your effort on?

    Once you have that knowledge, you can make it difficult for your employees to do the wrong thing and easy for them to do the right thing, because the systems in place support that outcome. You can take every reasonable measure to protect what needs to be protected, from deliberate attack and from somebody just doing something dumb.

    ‘It’s proportional, it’s reasonable, it’s responsible, it’s merciful.’ To your organisation, to your bottom line, and to the data subjects who are your customers and your employees.

    Deal or No Deal: GDPR after Brexit

    UK Inadequacy?

    Late last week the government issued a formal statement about the position of the UK in relation to GDPR in a no deal scenario. As expected conditions for the flow of data between the UK and the EEA are a primary concern in this situation. Transfers of data outside the EEA must be safeguarded. Of all the safeguards available, the ideal for the UK is to gain adequacy status.

    Regardless of Brexit, it can take some time for the EC to review whether adequacy status may be granted. Earlier this year the Information Commissioner Elizabeth Denham spoke in Select Committee about the need to seek a ruling about adequacy sooner rather than later to ensure a smooth transition. and also expressed doubts about whether the UK may attain adequacy.

    There are some impediments to UK adequacy, namely the so-called Snooper Charter which has been challenged by the European Court of Justice (ECJ). The ECJ has ruled that the “general and indiscriminate” retention of electronic communications allowed under the Charter to be illegal.

    Also, once the UK leaves the EU, it will no longer be covered by the EU-US Privacy Shield provision for transfer to the United States. There is concern that any data sharing agreement between the US and UK will not be robust enough to satisfy European requirements.

    To be fair, this was always going to happen. With Brexit, the UK was always going to have to come up with a strategy for data sharing across the EEA. But a no deal outcome may accelerate the process, meaning this must be dealt with sooner rather than later.

    Without the certainty of an adequacy ruling any time soon, government advice is to begin preparing  for the use of Model Clauses and Binding Corporate Rules (BCR) to manage data transfers to the UK. Each of these may involve quite a lead in time for organisations to set up, so the time to act is now.

    Uncertainty and Risk

    What does that mean for organisations in the UK that rely on GDPR to support free flow of information within the EEA? It’s a risk, and one you should be ready for. While there is uncertainty about the future of data transfer arrangements between the EEA and the UK, it is worth beginning to prepare for the worst.

    How do you prepare? The first step is a risk assessment. Organisations that have already worked to comply with GDPR will have a head start, as they will understand their data flows and have a strategy to employ safeguards to transfer. In effect, those who have records of processing and GDPR action plans will have already completed much of the analysis they need to pinpoint areas that need to be addressed.

    If you haven’t done this already, and you do share personal data with the EU, understanding where your personal data is, where it comes from and where it is sent is now urgent.

    With the future so uncertain, and such a high noise to signal ratio on the topic of Brexit in the media it is so tempting to switch off and pretend it is not happening. But for UK businesses sleepwalking into a no-deal/no data situation is not an option. If not already started, risk assessment, mitigation and safeguard arrangements need to start now.

    Join us at IRMS Conference in May

    IRMS Conference 20 May – 22 May, The Hilton Brighton Metropole
    Join Metataxis at IRMS this year where Marc Stephenson will be speaking on Blockchain, and Alex Church and Leigh Hanton will be presenting a case study of how unstructured information has been wrangled to alignment with GDPR.