However, this could not be further from the truth. I’ve written on my personal blog about using an Asset Life Cycle model to help manage your information more effectively. In that post I used the data protection failings in Temple St. hospital as a case study for how thinking about information as an asset might have prevented the problems. At the end of next month I’m also delivering a FREE tutorial that might help prompt some clear thinking for people in this area at an ICS/IAIDQ conference.
However, as Castlebridge Associates begins to mature through the Start Up phase, I’m finally getting to the point of putting together the Data Controller registration for us, now that we are starting to get people coming to talk to us and we are capturing personal data. As I work through the process (and it is technically very straightforward) it is clear to me that the simple act of registering with the Data Protection Commissioner is actually a great tool to help you think about all aspects of your business and how you will manage and run them. In fact, I personally think that this process has made me think more about current and future evolution of the business than a lot of the business plan advice stuff I have read over the past few months.
For a start – does Castlebridge Associates need to register? Well, a quick look in the guidance notes doesn’t shed any immediate light on things to be honest. However, if we think POSMAD for a moment, I think it might be prudent because who knows whether we will go down the route of processing personal data for supply to others, for example through partnerships or lead sharing or collaboration.
Secondly, the registration process requires me to immediately identify a person who is responsible for Data Protection in the organisation. At this stage, that’s simple for Castlebridge Associates. However, it does mean having to think immediately about Governance and Who Governs, and perhaps even How do we govern in the context of the Information Assets in the business.
You are then presented with the need to think about what are the things you will be doing with personal data to drive and derive value in your business. In other words – what makes the information an asset to you rather than just stuff cluttering up a database and creating as security headache for you. Specifically, the Data Protection Commissioner requires that “you should provide a general, but comprehensive, statement of the purposes for which you carry on your business, trade or profession”.
In other words – have a really good think about what your business does or is going to do with personal data. I’ve had to sit and think about this a bit as it will affect strategy and execution (e.g. partnerships or working with Professional organisations or developing links with training accreditation bodies). But that means that I’ve had to think about what it is I want to be doing in 12 months with the data the business will be gathering and make a provision for it in what I’ll be submitting to the DPC.
This means I am (hopefully) going to avoid the pitfalls of entrepreneurship highlighted by a famous episode of South Park (substitute “information” for “underpants” in this graphic and it reflects what I have experienced as an all to common way of looking at CRM, ERP or similar investments). Collecting personal data just because you can and without a clearly defined purpose is not legal – it is contrary to the Data Protection Act. Furthermore, referring back to the POSMAD model again, if your model is “Information -> Question Mark -> Profit” then you don’t really have a business plan for deriving value through the application of the information as an asset.
Then things get granular. The DPC asks you about the types of data that will be used in each stated purpose (e.g. name and address data for direct marketing). And this is where the POSMAD model comes into its own in my view. Because I’m having to think about what the business will need to know to achieve objectives.
This means I am having to plan the attributes of the information asset and, before I capture datum one, I need to have a reasonably good understanding of what will be needed to enable certain things. For example, is there a scenario where I might need to capture a PPSN number for people attending a training course? If so, what does that mean for the security controls that Castlebridge needs to have in place and the potential for having to purge data on a scheduled basis to be compliant?
Also – who might I be sharing personal data with and under what circumstances, and what countries they will be in are all considerations that affect how the business model is planned and executed and what internal processes, controls, metrics and governance need to be in place to ensure that information is being properly protected.
Ultimately, that then helps me drive out the key questions and answers as to how information should be managed in this business, and identify key requirements for any database into which personal data is going to be entered – for example, having the ability to check when the record was last updated and run reports on that as a KPI for Data Protection Excellence.
In conclusion – Data Protection compliance, and even the simple act of registering as a Data Controller with the DPC, should make you think about your information assets and begin to understand how they need to be managed and governed.
Security and retention questions are the tip of the iceberg in my experience, and having an information quality management principle based approach to identifying and defining your Data Protection strategy can result in a more holistic solution that improves your ability to prove compliance.
So… why not take a look at Data Protection Registration and see if it makes you think about how you run your business today and how you might want to be running it in the future.