GDPR and the Public Sector
BLOG
GDPR

GDPR and the Public Sector

If you look at the enforcement notices on the Information Commissioners site you will see local government, the Police authority and the NHS coming up regularly. The shortcomings that seem to repeat are a lack of or poor rollout of training and a failure of or lack of policy and process such as not responding to subject access requests or committing avoidable leaks of personal and sensitive data.

The same issues do seem to come up again and again, which begs questions about effective leadership and direction, the sharing of best practices and learning from mistakes. Perhaps this is symptomatic of the attitude we see where organisations from across business sectors refuse to take any action until the worst happens. We are now seeing a similar situation with regard to the impending GDPR.

People, Process & Tools

I’m writing this piece while attending a conference in London, where part of the conversation is around Data Management and the GDPR. We’ve just had a very interesting presentation from a UK organisation that has been on the wrong end of cyber attacks associated with ‘Technical Debt’. One of the presenters’ conclusions was that the attack was a defining moment in being able to justify a major culture change and process improvement programme in his organisation. What is worrying, is that he felt such a defining moment might have been the only way this programme would have ever seen light of day.

We know GDPR compliance requires a complete culture change starting at the top. We also know the considerable amount of work that needs to be done around people and process. My own experience of public sector involves both defence and local government. Some of the local government work came about after the merger of a number of councils, which caused identical issues to those caused by mergers and acquisitions in the private sector, for example, 1000s of applications and their data (the Technical Debt mentioned above) with no supporting knowledge or documentation. Much of it was end-user computing, but some were databases that had become business critical. The aim of the project was to retire many of these applications and archive the data centrally.

Have you ever been in the situation where someone turns off or removes the PC that sits on the table in the corner, and which appears to have no purpose, only to find it actually runs a critical business function and is a single point of fail? Yup, it happens.

Data Archive is Dead Long Live Data Archive.

About 10 years ago I attended a job interview where I was told data archiving as a business solution was dead and that my prospective employer (a data management software vendor) was pulling out. Interestingly one client was recently telling me about a content management solution that was built over 15 years ago with the explicit requirement that data could not be deleted under any circumstances. That is now proving to be an expensive decision to reverse.  I believe that, with the GDPR approaching, Data Archive is more important now than ever before:

  • Reducing the strain re subject access requests
  • The right to be forgotten and the need to delete related data.
  • The regulatory requirement that Personal Data shall not be kept for longer than is necessary. You know, another one of the regulations that tends to get ignored.
  • Not having appropriate consent for data that you hold. I read recently that a marketing company was going to the extreme of deleting its marketing database because it could not rely on its consents.
  • Data archive for application retirement.
  • I heard a quote that typically 60-75% of data held by organisations is either redundant, obsolete or trivial. Read closely… ROT.

I’ve seen both ends of the spectrum. One of my former employers had corporate data retention policies in place and an automated solution to remove obsolete data - I built this with a colleague using a commercial toolset. On the other side, I heard from a competitor that no data had ever been deleted from their policy database in the 15 years it had been up and running.

It’s worth mentioning that data archive does not necessarily mean immediate deletion. Amongst the common tool functionality is the ability to move the data to an archive repository where automated data retention policies are applied deleting that data, as per the policy, as and when needed.

Are you thinking about data retention or data archive? Do you want to know more?  The team at Sogeti can help you on that journey so contact one of our experts toda - Andrew Crouch on andrew.crouch@sogeti.com

todo todo
  • Sogeti UK
    Sogeti UK
    Make an enquiry
    0330 588 8200