Lessons from West Wing for GDPR compliance

What now seems an age ago, there was a TV series called West Wing telling the story of President Bartlett and his White House staff who were capable of wisdom, bravery, some pretty good one-liners and glam frocks, who were on a quest for human aspiration, despite frequently revealing themselves as flawed human beings.

In the episode ‘A Proportional Response’ President Bartlett is battling the desire to order retribution on a vast and violent scale following a Syrian attack on a US helicopter which killed several Americans, including a young, new, father Bartlett had befriended. But, instead, the President is talked down by his Chief of Staff, Leo McGarry, to taking a response that is proportional to the situation, rather than smiting the earth in fury.

A response in Leo’s words, ‘It’s proportional, it’s reasonable, it’s responsible, it’s merciful.’

And so what is the relevance of a ‘proportional response’ to GDPR compliance? To align with GDPR an organisation needs to strike the right balance between over-reacting and, yet, still addressing what needs to change.

After all the pre-25 May GDPR hype and headlines, and the deluge of consent emails flooding our inboxes, followed by…well…not a lot, really. It almost feels like we are still waiting for ‘it’ to happen. Or that ‘it’ will never happen. That it was all just hype; yet another Y2K fizzer.

The very tempting ‘proportional response’ to this is to do exactly nothing. To pat ourselves on the back that we weren’t taken in by all the dark threats and headlines, and to go on our merry way, scattering personal data about like confetti at a wedding.

But don’t be fooled.

The ICO has been busy. The penalties to date are mostly still under the previous legislation. The investigative process takes time – and it’s only been five months.

Whatever ICO decisions are downstream, what matters for organisations about data protection is what has always mattered. It’s an opportunity to do business better by aligning with the new regulations. That’s what a ‘proportional response’ is; one that makes sound business sense in the long term. It’s not just about fearing the goblins that live in dark data, or of the avenging angels.

Taking a ‘proportional response’ to your data protection is about gaining positive outcomes along the way to compliance. Organisations will eventually save money they didn’t even realise they were wasting. They will gain insight from joining up data that they never knew they had. And should the worst case happen, they will be in the most resilient position possible to be able to handle such an event.

A proportional response requires you to understand what your risk profile is in terms of the personal data you control and process. You need to know what personal data you have, where it is and what could possibly go wrong? What data and systems should you be focusing your effort on?

Once you have that knowledge, you can make it difficult for your employees to do the wrong thing and easy for them to do the right thing, because the systems in place support that outcome. You can take every reasonable measure to protect what needs to be protected, from deliberate attack and from somebody just doing something dumb.

‘It’s proportional, it’s reasonable, it’s responsible, it’s merciful.’ To your organisation, to your bottom line, and to the data subjects who are your customers and your employees.

Deal or No Deal: GDPR after Brexit

UK Inadequacy?

Late last week the government issued a formal statement about the position of the UK in relation to GDPR in a no deal scenario. As expected conditions for the flow of data between the UK and the EEA are a primary concern in this situation. Transfers of data outside the EEA must be safeguarded. Of all the safeguards available, the ideal for the UK is to gain adequacy status.

Regardless of Brexit, it can take some time for the EC to review whether adequacy status may be granted. Earlier this year the Information Commissioner Elizabeth Denham spoke in Select Committee about the need to seek a ruling about adequacy sooner rather than later to ensure a smooth transition. and also expressed doubts about whether the UK may attain adequacy.

There are some impediments to UK adequacy, namely the so-called Snooper Charter which has been challenged by the European Court of Justice (ECJ). The ECJ has ruled that the “general and indiscriminate” retention of electronic communications allowed under the Charter to be illegal.

Also, once the UK leaves the EU, it will no longer be covered by the EU-US Privacy Shield provision for transfer to the United States. There is concern that any data sharing agreement between the US and UK will not be robust enough to satisfy European requirements.

To be fair, this was always going to happen. With Brexit, the UK was always going to have to come up with a strategy for data sharing across the EEA. But a no deal outcome may accelerate the process, meaning this must be dealt with sooner rather than later.

Without the certainty of an adequacy ruling any time soon, government advice is to begin preparing  for the use of Model Clauses and Binding Corporate Rules (BCR) to manage data transfers to the UK. Each of these may involve quite a lead in time for organisations to set up, so the time to act is now.

Uncertainty and Risk

What does that mean for organisations in the UK that rely on GDPR to support free flow of information within the EEA? It’s a risk, and one you should be ready for. While there is uncertainty about the future of data transfer arrangements between the EEA and the UK, it is worth beginning to prepare for the worst.

How do you prepare? The first step is a risk assessment. Organisations that have already worked to comply with GDPR will have a head start, as they will understand their data flows and have a strategy to employ safeguards to transfer. In effect, those who have records of processing and GDPR action plans will have already completed much of the analysis they need to pinpoint areas that need to be addressed.

If you haven’t done this already, and you do share personal data with the EU, understanding where your personal data is, where it comes from and where it is sent is now urgent.

With the future so uncertain, and such a high noise to signal ratio on the topic of Brexit in the media it is so tempting to switch off and pretend it is not happening. But for UK businesses sleepwalking into a no-deal/no data situation is not an option. If not already started, risk assessment, mitigation and safeguard arrangements need to start now.

Metataxis now on G-Cloud 10 framework

Metataxis are pleased to announce that public sector organisations can again access our services through the latest G-Cloud 10 framework.

Cloud services, such as O365/SharePoint Online, require careful planning, design and governance to be successful; however all too often this is just seen from a technical perspective rather than one based on the information and the user.

Metataxis can help organisations meet these information management and information architecture challenges that make the difference in being able to support long term adoption and deliver real value.

Metataxis offer a number of services on the G-Cloud:
Information Architecture
Information Management
Information Discovery
Content Migration
Training

If you would like any further information then please contact us.

AIIM GDPR Virtual Event

Metataxis are presenting a session at the AIIM GDPR Virtual Event.

The webinar will be jointly run by Marc Stephenson (Metataxis) and Patrick Cardiello (Active Navigation). The session has the acrostic title (we couldn’t help ourselves!) “Get Doing Privacy Right now!”, and details a case study in implementing GDPR for a global services organisation Metataxis is currently working with.

The aim of the webinar is to describe some real-world practical steps, especially around tools, for achieving GDPR compliance. The main tool we’ve been using for this client is the analysis and discovery tool from Active Navigation. This tool has been very effective at understanding the client’s information estate, which has made possible many GDPR tasks that couldn’t have been achieved without it.

See the Metataxis GDPR offering for more detail.

Metataxis now on G-Cloud framework

Metataxis are pleased to announce that public sector organisations can now access our services through the latest G-Cloud 9 framework.

Cloud services, such as O365/SharePoint Online, require careful planning, design and governance to be successful; however all too often this is just seen from a technical perspective rather than one based on the information and the user.

Metataxis can help organisations meet these information management and information architecture challenges that make the difference in being able to support long term adoption and deliver real value.

Metataxis offer a number of services on the G-Cloud:
Information Architecture
Information Management
Information Discovery
Content Migration
Training

If you would like any further information then please contact us.

The Implications of Blockchain for KM and IM

Metataxis are speaking at a seminar of the Network for Information & Knowledge Exchange (NetIKX), on Thursday 6 July 2017.

The seminar overview is: Blockchain is a word that is growing in usage – in both the IT and information management worlds. It is one of the most exciting and potentially game-changing technologies. But what is it and what does it mean? And as information professionals what do we need to know? What will be its impact on the management of information and knowledge?

See www.netikx.org/content/implications-blockchain-km-and-im-thursday-6-july-2017 or download a PDF summary for more information.

Pause for thought

Managing your information, and implementing a system to do it, is a complex task with many knots that need to be unravelled and it takes time to get it right.

All too often the focus of a project implementing such a solution is on getting it done rather than doing it right. Too much effort is spent moving the projects through various gateways rather than spending time on actually thinking through what needs to be done.

Information management systems such as SharePoint too often founder and ultimately fail to deliver the desired benefits because of this. Typically a system is rolled out successfully (i.e. on time) but it quickly degrades and information chaos ensues leaving users frustrated, information difficult to find and impossible to manage. In all likelihood you’ll end up with another project to put it right in a couple of years.

This situation can been avoided.

Proper thought must be given to understanding where you are and what you information landscape looks like. How can you build a system to manage your information if you don’t know what you’re intending to manage?

You must develop an information strategy so you know what you want to achieve and how you are going to go about it.

You must take time to design an information architecture that meets the needs of your users. This is vital to enable you to organise, describe and link information and the key to the efficient and effective use and management of your information.

And don’t forget about putting in place governance – without support, oversight and nurturing your nice new system will quickly end up a chaotic mess.

Remember that rolling out a system that meets a deadline doesn’t mean that you have a successful solution.

Think, plan, design – don’t just ‘do’.