The download report button is carcinogenic

How comfortable are you having a conversation that starts “the spreadsheet you emailed is going to cost us four million dollars”? Probably not very comfortable – but it’s where current data handling practices will lead us. Privacy laws are penalising loss of control of data – not actual harm to subjects of the data. This is why controlled handling needs to be an operational capability for any organisation handling personal data.

The CRM system is a great example of the problem – it generally has the crown jewels of personal data, and easy download capability. The standard response to “joe needs a list of customers for x” is to cut a spreadsheet full of personal information, and email it.

Then what?

Every system the data touches after that makes a couple of uncontrolled copies – backups, replications, shares, edits. It’s like cancerous cells – a few here and there multiply to become a much larger problem. Under GDPR, it’s a 4% of revenue sized problem when the data is emailed to the wrong person.

The key to removing the problem is providing capability to handle data without downloading it. Simply, your employees need to be able to run their business process end-to-end without downloading and emailing a spreadsheet. If they can’t, you’ve got a carcinogenic problem within your organisation.

Collaboration governance and notifiable data breaches – how do you achieve certainty?

The Privacy Amendment (Notifiable Data Breaches) Act 2017 will come into force on the 24th of February 2018. It means that an Australian Privacy Principle (APP) entity with reasonable grounds to believe an “eligible data breach” has occurred needs to report it to both the Office of the Information Commissioner, and the affected individuals, and conduct an investigation within 30 days. Many organisations will fail to effectively service this requirement because their response will rely wholly on meta-data. Effective responses will be made possible via systems that automate the collection of both data and meta-data about content collaboration events involving external parties.

In the lead up to reporting an event, the difference between a notifiable event and the continuation of business as usual, is likely to come down to being able to answer a few specific questions –

  1. What information did we lose control of?
  2. To whom was it exposed?
  3. What is the level of certainty?

In an organisation with automated external governance capture, the answer can look like “we provided x content to y, here are the audit trails and here is the content in its original form”. This answer will likely have a high degree of stability over time.

Organisations with less mature governance frameworks will rely on machine meta-data and interview data. A response from this organisation will have a high degree of ambiguity – “we can see that x accessed y cloud service and uploaded some content that might contain z data”. Three months later, a response even at this level of certainty may be impossible as meta-data logs are routinely overwritten.

Organisations that effectively move towards maturity do it by enabling content-based processes, with tools that make process work more efficient, and capture data and meta-data as a by-product of usage. In the vast majority of cases that I have worked on, control was lost due to the lack of an approved tool rather than by accidental means or malicious attempts to circumvent controls. Once an approved tool is implemented, steps can be taken to reduce access to other tools over time – this will include putting barriers in front of physical media, internet sharing services and email.

Ultimately, good response under mandatory breach disclosure is going to come down to having both the data and the meta-data. If you’re struggling with how this will play out in your organization and you’d like to understand one approach, please reach out to me, particularly if you’re a HPE Content Manager, SharePoint or Objective ECM customer already.

If you’re looking for a good primer on notifiable data breaches, I found the link below from Clayton Utz extremely useful, you can also find lots of good information on the website for the Office of the Information Commissioner.

https://www.claytonutz.com/knowledge/2017/march/take-notice-mandatory-data-breach-notification-laws-to-take-effect-by-23-february-2018