In the digital age even the smallest of organisations can proliferates huge volumes of data each day. Whilst it can be challenging for you to keep track of all data, you risk breaking the law, losing data, breaching confidentiality, damaging your reputation, and hefty monetary penalties, if you fail to keep track of the all of the confidential and/or sensitive data that your organisations controls and/or processes.
At present in the UK Information Commissioner has the power to impose monetary penalties of up to £500,000 per breach of the Data Protection Act 1998. Under the new EU General Data Protection Regulation (GDPR) – (which will impact the UK business’ irrespective of ‘BREXIT’) – supervisory authorities will have the power to levy fines of up to 4% of an organisations global annual turnover.
If you have not already done so, the first thing that we recommend you do in order to reduce any Information Governance risks which your organisation actually and potentially faces is to know exactly what confidential and sensitive data your organisation controls and/or processes.
It is important to note that under the new EU General Data Protection Regulation data processors will for the first time be held directly accountable for data breaches, in addition to data controllers (whom are already directly accountable). Which in short, means that your organisation can be held accountable for data that it does not own, but is responsible for processing – even if only in part.
Information Asset Registers (IARs) provide an effective means of keeping track of all confidential, sensitive and otherwise valuable information (Information Assets – IAs herein) that you control and/or process. Not only that, if used effectively, IARs can help you to know the true value of the data you hold and leverage their potential, fully. What’s more, knowing what information really matters to your organisation can help you to reduce the cost of storing and/or securing unnecessary data.
Creating and maintaining a simple spread sheet or database which records the following basic but important information about the IAs that your organisation controls and/or processes, as a minimum, will go a long way towards solving this problem:
2. Know what confidential and sensitive data goes where and how it gets there
Now that you know where all of your organisations IAs are at rest, you will need to understand how your organisations IAs move around, both within and outside of your organisation.
There are several different methods that can be adopted to map data flows, the right approach for your organisation will therefore, very much depend upon the nature, volume, sensitivity and complexity of information your organisation processes.
The simplest way to begin mapping your organisations data flows is for each information asset owner to quite literally draw diagrams which outline:
3. Deliver engaging & contextualised training and issue clear guidance
Arguably, one of the most important controls that you can put in place to mitigate information governance risks, is to ensure that all of your staff are adequately trained and provided with clear guidance which enables them to confidently discharge their information governance responsibilities.
You can have all of the information governance policies, strategies, procedures and technological control in the world in place – they are of limited value and may only serve to heighten risk potential (not to mention cost), if they are not accessible to, and clearly understood by staff.
The question is – how do you ensure that all of your staff are adequately trained in Information Governance?
Achieving this can be particularly challenging in larger and more complex organisations. As well as being busy, it is fair to say that many staff simply find the subject of Information Governance to be rather dry. Making the task of ensuring that all of your staff (including contractors, agency, bank, and volunteers), at times, seem like an uphill struggle.
So, whatever you can do deliver engaging and contextualised information governance training, will help you to ensure that staff get the important messages. Ensure that you keep it clear, concise and most importantly, up to date. It is important to spend time, and/or seek expert advice when developing/purchasing your training materials.
The more relevant the materials are to what your staff actually do, the more likely it is that they will engage and understand what exactly is required of them. As a result, reducing the likelihood of data breaches resulting from human error – which are one of the most common root causes of data breaches.
How much do you actually know about the information governance controls that each organisations that directly processes (e.g. IT software and hardware suppliers, mailing houses, couriers etc), or has access to (e.g. cleaners and maintenance contractors) your organisations confidential and sensitive data, has in place?
Make sure you do your due diligence when choosing supplier that are likely to have access to confidential and sensitive data, and go as far as to run checks on sub-processors and even sub-sub processors (as you will in certain circumstances be required to do under GDPR).
There are lots of things that you need to consider from an Information Governance perspective when selecting suppliers that will process data on your behalf. In order to help get you started here are some key questions for you to ask …
Organisations that face the stiffest sanctions for breaches of EU and UK data protection laws are those that either knew or ought to know that there were risks, and did nothing demonstrable by way of mitigation. It is important that you give careful consideration to all of the possible risks to which your organisations IAs are exposed.
Conducting the information asset management and data flow mapping exercises will enable you to identify many of the reasonably foreseeable risks to which your organisations IAs are exposed. You may for example identify that there are inadequate organisational and technological controls in place to secure your organisations IAs at rest or in transit. Or you may identify that there are inadequate business continuity and disaster recovery plans in place which would enable your organisation to cope in the event of a system failure or data loss.
There are many, often-times complex, questions to consider in order to conduct a robust analysis of the information risks to which your organisation is exposed. To support you in your efforts, it will almost certainly help you to gather all of the information asset owners and other key stakeholders around the table (conference call or hang-out), in order to conduct a brain storming exercise/(s). Simply ask each owner – what risks do you consider your IAs to be exposed to, and what can we reasonably do to prevent breaches?
Once you have identified all of the risks to which your organisations IAs are exposed, identify the specific organisational, people-based and technological controls that are in place, or will be put in place to mitigate the risks. Ensure that you record the risks and the rationale behind any mitigating controls that you chose to adopt, or not, escalating any significant risks to the board.