This year’s first Midlands meeting took place at the British Geological Survey (BGS) in Keyworth, Nottingham with 22 delegates travelling to hear three talks about the GDPR.
John Day, the Information Security Officer at the BGS, gave an overview of his work on the IT security in relation to data protection. IT security comprises of five elements: confidentiality, integrity, availability, reputation, and compliance. John talked about cyber incidents reported to the Information Commissioner’s Office over the last two years and highlighted some high profile cases such as Equifax, TalkTalk and TescoBank. He went on to review the major changes which the GDPR will bring for IT professionals, such as the new types of personal data including IP addresses and cookies.
BGS and its parent body Natural Environment Research Council (NERC) have been developing an information systems register which contains information on where data is stored and what protections are in place. IT departments can support staff by advising them on technical matters including data encryption, access controls, perimeter controls, logging and reporting of events, and mobile device management. As a public sector organisation under the UK Government, BGS is required to comply with an industry standard which currently is Cyber Essentials, but is now looking into working towards compliance with a more extensive ISO 27001 standard.
The first guest speaker, Stefanie Jacobs from Microsoft, had travelled over three hours to join us on the day! The title of Stefanie’s talk was “Grasping the compliance nettle – GDPR and other fun topics for dinner parties”. She started by telling us that Microsoft believes that the GDPR is an important step forward for clarifying and enabling individual privacy rights. Stefanie looked at new rights for individuals, e.g. to object to processing of their personal data, and new obligations for organisations, such as to keep records detailing data processing and to outline processing purposes and use cases.
A key point with the GDPR is to recognise that compliance is a shared responsibility. Microsoft have made contractual commitments to its customers for cloud services that meet the new requirements, and Stefanie shared their top GDPR considerations and solutions with the delegates. She also gave us a simple roadmap on how we can get started (discover – manage – protect – report) and concluded by sharing the Microsoft mission statement: “Our mission is to empower every person and every organization on the planet to achieve more”. Not a mean feat!
And last, but by no means least, we heard from our very own IRMS Vice-Chair Emily Overton, this time with her RM Girl Consulting hat on (or should I say: a lovely dress!). Emily’s presentation was entitled “Information Asset Registers: What are they good for? Absolutely… everything… including GDPR!”
To help us focus on the essential attributes of the new regulations, Emily had come up with a new description for the acronym GDPR: it is now Good Documented Practice (with) Records. The starting point for this, like to any good records management, is to know what you have, where you have it and how long you have to keep it. She went through some possible forms of information assets, such as documents on the screen, processes, services, servers etc. These assets are live, and updated and reviewed regularly. They act as a dashboard for the management and help to mitigate and manage the risks within the organisation.
Emily gave us an example of an information asset register with columns capturing information, which can be added to as required. We were also introduced to a sample data flow which helps us to see the big picture – what are the data collection points, actions and assets themselves, with whom is the information shared, what are the security issues etc. She concluded by sharing her top tips instructing us not to rush it – better to take your time and get it right one thing at a time.
There is a write up of Emily’s presentation in the March issue of IRMS bulletin, which members can also access online. In addition, all three presentations are now available in the Midlands Members’ area of the IRMS website.