Telephone +44(0)1524 64544
Email: info@shadowcat.co.uk

GDPR and Information Governance

Introduction

Tue Dec 12 23:00:20 2017

The GDPR, the General Data Protection Regulation, is enforceable from 25th May 2018, the law was passed into effect in 2016 and was then moved to a transitionary phase to allow businesses and organisations to adapt. I will be discussing some of the aspects of the GDPR as I navigate helping businesses and organisations I am involved with change to reflect the new legislation.

In this article I am going to discuss how we can see the requirement to keep data secure, as the GDPR puts it ‘ensure a level of security appropriate to the risk’ not as an instruction to lock data away but as a chance to see data storage as information governance.

Encryption, Anonymisation, Lifetime and Access Rights

Security

One of the requirements of the GDPR is the safety and security of data. Some have taken this to mean that you must use complex security measures with encryption and intrusion detection to ensure this. Although the GDPR does mention examples it doesn’t place a specific requirement, instead it states in Article 32:

“measures to ensure a level of security appropriate to the risk.”

Broadly this means that if there is little risk, because of a lack of data stored perhaps, or the type of storage then you comply without complex encryption or detection. For many medium businesses to sole traders a good password protocol, anonymisation, and the reduction in amount of data will suffice.

You can read more about Passwords on my blog here, but let’s look at anonymisation and the reduction of data.

Anonymisation

The GDPR makes use of the term Personally Identifiable Information (PII). This is any data that identifies an individual, it can include email address, physical address, IP and even combination of details such as gender, age and postcode or multiple transaction locations. With that in mind it is worthwhile considering moving to using anonymisation. I covered this in my article on Data Management.

In short it is wise to remove any data that can identify a person and keep that data separate to any personal details. Personal details themselves are probably the items that you might want to consider encrypting or storing behind a strong password or biometric protection.

Anonymisation and archival storage in encrypted form adds a layer of protection, the more sensitive or potentially identifiable the information the more anonymisation and protection that you should apply. But a better method exists, the reduction of data.

Reduction of Data

The most efficient response to the incoming legislation is to reduce the amount of data that you store. There is a tendency in modern life to store as much data as possible. We have become data hoarders and the sale of data has become big business. The GDPR intends to directly confront this and the best compliance is to reduce your data store.

Take a look at what data you collect.

  • How much of it is actually needed to pursue your business?
  • How much of that data can be made into single transactional usage?
  • How much can be anonymised?
  • How much of the data can be given a shorter lifespan reducing the need for anonymisation, encryption and lengthy audit routes and complex compliance checks?

Reducing the data you store will prove cost effective to your business in terms of physical complexity and is the most effective way of mitigating risk. Observing Article 32’s requirement to secure processing, along with Article 5’s retention limitations on data and Article 17’s right to have data erased, requires an understanding of what information exists, their value and their location along with who has access to them. If we couple this with encryption, security, anonymisation and reduction of data then it is in fact part of an information governance process.

Information Governance

I am going to start by giving you the Wikipedia definition of Information Governance:

“Information governance, or IG, is the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization's immediate and future regulatory, legal, risk, environmental and operational requirements. Information governance should determine the balance point between two potentially divergent organizational goals: extracting value from information and reducing the potential risk of information. Information governance reduces organizational risk in the fields of compliance, operational transparency, and reducing expenditures associated with e-discovery and litigation response. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle electronically stored information.” (https://en.wikipedia.org/wiki/Information_governance)

The requirements of the GDPR are best thought of as an exercise in governing your information and building formal processes for the storage, usage and lifetime of your data. The very last part of this is the access to the data.

As an organisation you should have clear policies of who has access to the data that you store. You should have clear understanding of where it is stored. You should have clear policies for the lifetime of the data, how long you keep it and what process will be used to remove it.

This is coupled with the access and sharing with any third party. If you share data with a third party you should be familiar with their processes and you need to communicate that to the individuals whose data you store and share.

If you follow the advice in this GDPR you will have already decided what information you absolutely need to do business. What data you need to do transactions that need not be kept. What data needs to be stored behind encryption or protections. What data needs to be anonymised. The lifetime of the data and what processes you have to remove and delete it and what must be kept for longer term or legal processing. What data you do not need and can be immediately removed. Where that data is and who has access to it and for what reason.

This is your Information Governance and it should be a written document that you follow closely. It will allow you to run an audit in the case of a breach. It will prove your attempts to show compliance. It will form the basis of communicating your procedures and processes when seeking consent from those you hold information on.

[Don't forget that you can join in this conversation by using the comments form at the bottom of the page or by tweeting at @shadowcat_mdk]