Getting beyond the basics: Data Protection & Information Governance

Castlebridge Associates has been involved in a number of Regulatory consultations on Data Protection and Public Sector Data Governance over the years.

The 2012 submission from Castlebridge Associates on the EU Commission draft of the General Data Protection Regulation can be found here. Many of the comments made therein are based on our holistic philosophy for Information Management (CHIMA) that has formed the basis of much of our methodology development and training since 2009, including our DP202 course which is running in November.

In 2014 we were asked by Digital Rights Ireland to conduct a review of the proposed legislative framework for Data Sharing and Governance from the Department of Public Expenditure and Reform. In that review, we again found an apparent absence of basic understanding of the link between effective Information Governance practices and effective Data Protection compliance, and in some aspects a lack of understanding of established best practices in Information Governance. We were invited to present on our report to a public forum, a platform we shared with the Data Protection Commissioner. (The proposed Bill was subsequently pushed back on the legislative calendar for further work to be done on it).

Given our extensive work with Public Sector organisations in Data Protection and Information Governance, we consistently push the direct link between effective Information Governance, evidenced by Information Quality metrics, to support Data Protection outcomes. It was interesting, therefore, to read research from Trillium, an Information Quality and Data Governance software vendor, that was conducted in the UK Public Sector that found that Data Protection compliance was the single biggest driver for Information Governance initiatives there. (Kinda proves our point!)

At 83.6% Data Protection compliance tops Information Security, is streets ahead of Data Quality Improvement (40.6%), Customer Experience (33.6%), and even beats out Cost Savings (32.0%).

However, each of these represents a distinct Information or Process Outcome which any Information Governance initiative is being tasked with supporting.

One would hope that the organisations surveyed understand the direct and fundamental relationship between Data Protection and Data Quality (if not, we have a course that can help).

One would hope that the definition of their Information Governance initiatives addresses, in some way, the matrix of Key Resulting outcomes to be achieved and are not structured to solve a silo problem in a silo way, leading to the same silo problem that creates the need for effective Information Governance in the first place! (Again, we have a seminar for senior managers that can help with that)

(For more on Drivers for Data Governance and Information Quality, see this chapter from The Data Governance & Strategy Toolkit, first published by Ark Group in 2011)

One would also hope that, notwithstanding the fact that the survey was conducted by a software vendor, that the respondents understand that technology is not a panacea and that effective Information Governance, whether it is to support Data Protection or save a few quid off the budget lines. Pursuing this information revolution as a technology initiative is a recurring cul de sac approach, as Tom Redman has pointed out. While the use of “desktop tools” like MS Excel might be cumbersome, and while there are many excellent tools available, a sustainable change requires changing thinking about information in organisations so that the tools that are acquired are

• The right tools
• Used in the right way
• For the right objectives

(I have a rant about that here)

My €0.02

• The initial draft of the Data Protection Regulation raised some hope for Information Governance and appeared to herald a realisation in the legislature that there was a direct link between Data Protection, Information Governance, and Information Quality. This was at risk of being diluted in 2012 and is still on the “Critical List” in my opinion. However, it is essential if organisations want to move beyond “reactive” data privacy responses.
• The Irish Government, wisely, deferred a Data Sharing and Governance Bill that had a number of key weaknesses, not least around Information Governance practices. This demonstrated a realisation that it is important to get this right.
• The survey results from the UK show that Data Protection is a key driver for Information Governance.

However, these three taken together demonstrate an urgent need for Public Sector organisations to move beyond the basics of Data Protection and begin to develop the key skills in Information Governance that will enable them to bring the 9 drivers discussed in the Trillium research under a single strategic focus that will deliver prioritised and complementary benefits through a holistic Outcomes-oriented framework.

We’re teaching that in November. Early bird discounts are currently available for the first 7 people.

See https://castlebridge.ie/training/ for our course catalouge and other upcoming public courses.