Sunday, 17th November 2019

Time for a Data Spring Clean?

With GDPR in the air, an information audit could stop your business hoarding data it will never need, says Dave Nicholson of Axial.

Are we in danger of losing all sense of proportion when it comes to collecting data? Ever since the term ‘big data’ was coined, we’ve begun to value quantity over quality. Our data, we are told, is our goldmine – yet we ignore the fact that freshly mined gold comes with impurities and needs to be extracted from its ore.

The data gathering instinct has become more pronounced with the emergence of AI and machine learning. We’re told that all data is valuable when the right algorithms can turn the dross into actionable insight. Yet incomplete, inaccurate and irrelevant data can clutter up a business and stop it from functioning at full efficiency.

There’s evidence that there can be such a thing as too much data. Forrester Research has estimated that up to 73% of the data being collected will never be successfully used for any strategic purpose. The Veritas Global Database Report comes to a similar conclusion; that 53% of all information stored is considered to be ‘dark data’ whose value is unknown.

This is backed up by US management consultants New Vantage Partners whose survey revealed that while 70% of those businesses polled were aiming to establish a data-driven culture, fewer than 28% had been successful.

This isn’t to diminish the promise of big data and the significant gains that can be made by planners, marketers and others by analysing their data to forecast trends and reveal insights into their markets and customers. It’s more to add a realistic note and a reminder that data without integrity equals data clutter.

Currently one of the checks on big data enthusiasm is anticipation of the GDPR deadline in May this year. GDPR applies to all organisations processing and holding the personal data of data subjects residing in the EU, regardless of the organisation’s location. As such, it will not only impact organisations located within the EU but also those located outside it that either offer goods or services to, or monitor the behaviour of, EU data subjects.

The imminent regulation is forcing businesses to rethink their data protection policies – and strengthen them if necessary. It is effectively a policy enforcement change that impacts the way data is managed, stored, processed and accessed across the enterprise.

GDPR essentially lays down the minimum that businesses should be doing to protect all this data, particularly the most sensitive and personal. This latter description typically covers data that could be used to identify a person, and not only identify them, but potentially adversely affect them moving forward. And GDPR has a wide interpretation of what this covers, incorporating name, address, date of birth, National Insurance number, credit card and bank account numbers but also such details as social media posts, photographs and even IP addresses.

In a move last year widely publicised and debated in the IT press, the pub chain J D Wetherspoon deleted its entire customer database – reported to be hundreds of thousands of email addresses. The company said it no longer wanted to be ‘intrusive’ to customers and in a change of marketing strategy would now promote deals on its website, as well as its Twitter and Facebook pages.

However, it had clearly been burnt by a breach of its customer database a couple of years ago. It was also likely to have been influenced by a string of fines for companies such as Flybe and Honda who had sent emails to people without explicit consent. These penalties were imposed under current terms. Under GDPR they would have been multiplied almost beyond recognition.

The proximity of the GDPR deadline makes this a great time for a data ‘spring clean’. Besides, decluttering is simply good practice in data management terms. Businesses need to think about why they collected the data in the first place and what value it is bringing them. If the answer is none, then why not get rid of it all, wherever it resides within the organisation? Why not eliminate it from servers; back-ups and cache memory and reduce their GDPR burden at a stroke, while also improving their chances of compliance with other data protection regulations in the future?

For most organisations, the biggest issue in this context is understanding what data they have got and where that data is located within the business. Consequently, an organisation-wide information audit will be worth the time and effort in the long run.

Businesses should document what personal data they hold, where it came from, who has access to it and who they share it with. Then ensure controls and practices are being enforced correctly. For example, if they hold inaccurate personal data and have shared this with another organisation, they will have to tell the other organisation about the inaccuracy so that they can correct their own records. Yet, they won’t be able to do this unless they have documented what personal data they hold, where it came from and who they share it with.

This documentation process will also help to comply with the GDPR’s accountability principle. This requires organisations to show how they comply with the data protection principles, such as having effective policies and procedures in place.

However, most will know that they hold GDPR data and they may even know where most of their structured data is. They are unlikely though to know where all their unstructured data is located and this is a big concern. Unstructured data is being generated on a day-to-day basis and most organisations quickly lose track of where it is.

Issues can arise, for example, when departments create copies of centrally-stored lists on local devices. These lists are typically used for multiple repeat mailings but often not updated when individuals ask for their details to be removed. Businesses will be in breach of GDPR as a direct result.

Another potential issue is when multiple departments within the organisation are duplicating information about the same customer. This can then make it difficult for businesses to respond effectively to requests for information from individuals about data held about them.

It will be difficult for most businesses to get rid of all their inaccurate, incomplete and generally useless information without taking as drastic a step as Wetherspoon. Yet most are unlikely to want to go this far having spent years building up their customer databases. But being organised and disciplined about destroying data that isn’t needed or is incomplete as it is encountered will go a long way to letting the business breathe more freely – and worry less about GDPR.

Last May marked a seismic shift in global privacy and information rights with the implementation of...
More than a year after coming into effect, the General Data Protection Regulation (GDPR) has transfo...
Fighting cybercrime is a never-ending arms race. If businesses want to get ahead of the bad guys, jo...
Cyber attacks are inevitable, but it’s how an organisation deals with them that can make or break th...
When the General Data Protection Regulation (GDPR) came into effect in May 2018, businesses from all...
How has GDPR changed the security and compliance landscape? Over the following pages, you’ll find a...
May 2019 marks the first anniversary of the General Data Protection Regulation (GDPR), and early num...
Today’s organisations realise that data is a critical enterprise asset, so protecting that data and...