Data and securityGDPRUnderstanding information governance in the aftermath of the GDPR

Understanding information governance in the aftermath of the GDPR

Des Ward, Information Governance Director Innopsis, says awareness of the rules under GDPR is imperative for an internet-first and a cloud native strategy

Over the past year, there has been a significant increase in understanding about personal data, predominantly because of the implementation of the General Data Protection Regulation (GDPR), introduced by the Data Protection Act 2018.  However, there still remains a perceived barrier in relation to how personal data can be used within today’s digital society.

As a result of this perception, there’s been a general feeling within public sector organisations that the law stops them from sharing personal data.  Understanding what you can do with information, and what is permitted (as well as not) is a crucial challenge to address.

Is the challenge just the GDPR?

This challenge is not just for personal data though. Personal data only contributed a small fraction of the £364m in fines during 2017/18.  Moving forward, the fiscal impact of failing to provide effective governance is just as likely to be due to the Network and Information Systems (NIS) Regulations 2018. These were introduced just prior to the Data Protection Act 2018.

Those organisations who stopped their governance after attaining GDPR compliance in Q1 2018, won’t have heard of the newer GDPR security outcomes or looked at the NIS Guidance Collection (or NHS England Data Security Standards) and are likely to find themselves at the bottom of a steep learning curve; especially if they are merely addressing compliance requirements that don’t form part of a governance strategy.

Are we undertaking governance or reacting to compliance?

The need for an effective governance strategy is shown by the results of recent studies which shows that only 4% of organisations align to the NCSC cyber top ten, and 53% of organisations invest in cyber controls after a high-profile breach rather proactively select solutions that meet their needs.

In short, industry (and its customers) are effectively self-diagnosing symptoms and buying treatments off the shelf.  Just as it is better to seek the advice of a medical professional, it is advisable to understand what is causing the issues that are being faced and address those issues with a sustainable cure.

Organisations are to evolve beyond reactive unbudgeted spending on ad-hoc compliancy. For this, they are going to have to look beyond technology. They have to look at the information flowing within their organisations to inform their governance.

Many of the organisations I speak to believe they are prevented from sharing information. They feel the prevention is as a result of their GDPR compliance programmes. This conflicts with legal requirements for sharing personal data (e.g. within healthcare, social care, and criminal justice).

Addressing current and future data regulation challenges and enabling analysis and data sharing requires a reliable, robust data governance framework.

Was the opportunity of the GDPR lost?

How many of the organisations looked beyond personal data and the requirements of the GDPR when they reviewed their systems?

Those that didn’t are likely to have missed the opportunity to understand the requirements of the approximately 65-100 laws that govern their information management just from the type of organisation they operate; a figure that grows to over 4,000 when you start to look at activities undertaken in areas such as mental health and safeguarding.

In my experience, few organisations can name more than five laws that they have to comply with regarding information management. So, there is a real challenge to be addressed.

Those organisations that have looked beyond the requirements of the GDPR within their programmes will have more understanding of information within their organisations; not just the need to protect it, but also the need to share it and how they use it.

The main questions an organisation needs to ask itself in order to legally adhere to handling information are as follows:

  • Location of the data -how do you know where it is being stored, or if it has been deleted?
  • Format of the information – what is the asset?
  • Disclosure requirements – can you share it, and what are the requirements?
  • Retrieval requirements – the retention period and can you access the information throughout that period?
  • Handling requirements – does it need encryption, where can it be accessed from, what right of audit is there?
  • Usage requirements – what purposes was the information acquired for, how do you provide evidence that you meet those requirements?

What’s the benefit of addressing the opportunity?

Organisations need a deeper level of understanding of information when talking about disruptive technology such as cloud and smart cities. This is going to allow them to manage the risks better. Governance of information also aligns with the application-centric strategy of the government, where the GDS blog talked about The Internet is OK , the for-runner of the government’s Zero Trust Networking approach.

Zero Trust is a way the Government Digital Service has put forward for the Public Sector to improve its networking requirements.

The intention here has been stated to adopt Zero Trust Networking and dismantle networks within the Public Sector. Looking beyond the headlines, there’s much to commend from the principles and the linkage into the network principles. Innopsis’s view is to take a hybrid approach, with the adoption of Zero Trust across the network. Meanwhile, it is equally important to maintain MPLS based networks for the major offices and data centres.

Understanding the information an organisation holds means understanding what levels of service assurance is required. This is something that is increasingly important as we become more reliant on cloud services. Outages to the service or the connectivity to it has more impact on operations.

Understanding what you don’t know is part of the journey to adopting disruptive services

Greater levels of understanding lead to being better placed to safely adopt technologies that people are often wary of. This is because they’ve been taught for so long that they have to keep things secure behind big walls.  The reality of life is that this approach is no longer sustainable.

We’re seeing more progress towards security at the application layer, rather than relying on the network. However, if you don’t understand information that’s flowing across those services and applications, how can you really get the best out of these technologies?

Related Articles

Organisations are still struggling with GDPR compliance

Data and security Organisations are still struggling with GDPR compliance

7m Jay Ashar