Posts

The Era of the Technology Enabled DPO has Begun

Confucius once said ‘Life is really simple, but we insist on making it complicated.’ One can only imagine Confucius’ reaction to a roundtable with a DPO, CISO and CIO in 2018. ‘You connected what, why?’ ‘You understand this behaviour, how?’ ‘Robots are storing information, why, how and where?’

Staring bleary-eyed back at Confucius the tech leaders might retort, ‘We aren’t making it complicated, we are the ones managing complexity.’

Herein lies the reality for the technology leader in 2018; the advance of technology lies outside of our control, and like the frog in the boiling pot, the heat to protect critical data is starting to bubble, with little support for upgrading the more resistant capabilities of those who find themselves in the pot.

In a search for that extra protection, DPOs in particular are turning to technology, and here’s how.

The Era of the Technology Enabled DPO has Begun

The 2018 EY-International Association of Privacy (IAPP) study showed that 56% of businesses believe they are not entirely GDPR compliant with 20% of businesses believing full compliance is impossible.

To understand how DPOs are turning to technology to close the compliance gap, let’s look at how spending on data privacy/GDPR compliance has changed over the past few years.

The EY-IAPP report has a few telling statistics in this regard:

  • Amongst companies preparing for GDPR 57% are investing in technology in 2018, up from 27% in 2016.
  • 68% of programme leaders now say data inventory and mapping is a priority, up from 48% in 2016.
  • IT and Information Security are now responsible for housing 30% of GDPR/information governance programmes up from 14% in 2016.
  • Right to Be Forgotten and Subject Access Requests were voted the two most difficult GDPR obligations to fulfil. Both currently rely on manual data discovery processes across multiple applications and platforms.

The observed compliance gap, alongside the shift away from human-resource spending to technology spending, suggests that the problem of data discovery, compliance and security is one whose solution supersedes the capabilities of even the best-intentioned human resources.

At the same time the number of DPOs are on the rise, with DPO vacancies up a staggering 700% from 2 years ago.

We can learn two things from this:

  • Data Protection Officers are turning to technology to help discover and protect data
  • Despite the increase in technology uptake, the human role of directing technology is more important and involved than ever.

And so the era of the technology enabled DPO has begun. Fortunately, technology for DPOs seeks for the most part to automate manual process, making the marriage between humans and tech in data protection truly Cyborgian in nature.

This marriage should seem intuitive as the first role of any newly appointed DPO is to answer, ‘What data do I have? Where is it? Who has access to it? How is it secured?’. It’s unrealistic for Data Protection Officers to be literally hands-on with data in 2018 hence smart data discovery and control tools coming to the fore.

So what technology solutions can help?

Data discovery and compliance technologies like Exonar in the UK have emerged in the past 18 months with plug in and play solutions for automated enterprise data discovery where previously none existed. The solutions discover data automatically to create accurate, real-time, classified inventories of information that allow DPOs to see a full breakdown of data and its sensitivity across an organisation, enabling DPOs to govern and protect data effectively.

Through the marriage of DPOs and data discovery technologies, data protection programmes can instantly become much more achievable, accurate, and less work for those involved. The era of the technology enabled DPO has begun.

https://iapp.org/media/pdf/resource_center/IAPP_EY_Gov_Report_2018.pdf

John Tsopanis
Data and Privacy Director, Exonar

Exonar has the SARlution to Subject Access Requests

Newbury, UK, November 2018: Exonar has launched a new website to showcase its Case Management Module that can dramatically decrease the time and cost involved in processing Subject Access Requests (SARs).

SARlution demonstrates an easy way to deal with SARs by using Exonar’s platform to find all the necessary personal data digitally, understand how that data is processed and stored and create simple templates to complete SAR cases. The graphical dashboard shows how many SARs have been processed and how many are waiting to be processed and tracks the time to completion.

SARs can be expensive and disruptive to an organisation. To address this Exonar’s platform maintains an up-to-date index of all information. It uses machine learning to understand customer data in emails, databases, word documents and spreadsheets. It’s automated and intuitive, enabling rapid data collation to reduce the time required for processing SARs.

As an example of the complexity involved with completing requests, when an Exonar employee submitted a SAR to their bank – with whom they have been a customer for over 10 years – they received around 800 sheets in 15 reims of paper.

Adrian Barrett, CEO and founder of Exonar, said: “SARs can contain a huge amount of information, often filling two or more courier shipping boxes. Finding, collating and redacting all of this information can hit organisations hard in terms of both cost and time to complete. But the latest technology can dramatically reduce the complexity of dealing with requests, driving down the time required to complete requests from days to minutes.”

SARs and GDPR

SARs were first introduced by the 1998 Digital Protection Act. But since the introduction of the EU General Data Protection Regulation (GDPR) in May 2018, the time that organisations have to complete requests has been cut from 40 days (as per the 1998 DPA) to one month. Organisations must also complete requests free of charge in most cases.

Failure to comply with requests or meet deadlines can expose organisations to new enforcement measures wielded by the UK’s Information Commissioner under the GDPR, including large fines.

But faced with these changes, many organisations will struggle to complete SARs due to the many systems, departments, processes, people and business units often involved when fulfilling a SAR. Exonar spoke to a previous SARs processor within the NHS about the challenges faced when dealing with Subject Access Requests in an under-resourced environment. Read the full article here: exo.nr/SARsNHS

The cost of compliance

The new guidelines present significant challenges to organisations that rely on old processes. For example, Exonar’s recent Freedom of Information research into how the public sector deals with SARs found that the average cost of processing a request is £145.46, but in some cases the cost was much higher such was the complexity of finding data and the associated administration.

The research also found that many organisations failed to meet the deadline for providing answers to its FOI requests (requests must be completed within 20 working days). The average response time was 24 days, highlighting the difficulty that many will face complying with requests under the new GDPR requirements.

Exonar’s platform solves these issues by discovering and offering instant visibility of sensitive data so organisations can complete SARs quickly, as well as improving risk management and cyber security.

Barrett concluded: “Exonar’s case management module offers a simple dashboard with a complete overview of SAR cases including detailed reporting and insight into bottlenecks. Easy to create templates allow untrained users to instantly find information related to an individual, and documents can be easily reviewed without the need to access the originals. It makes SAR processing simple and painless allowing the business to free up valuable personnel to focus on the business.”

About Exonar

Exonar solves a problem common to all organisations and their senior information owners, “I just don’t know what I’ve got”. Exonar finds and fixes an organisations’ information, from databases to documents – swiftly and at scale. We use machine learning to understand what’s important, where it is and who has access to it.

Exonar identifies documents containing passwords, customer and confidential information enabling successful governance, risk management, document retention, cyber security and compliance with regulations such as GDPR and CCPA – with ease.

We enable organisations to better organise their information, removing risk and making it more productive and secure. Visit us at sarlution.com to learn how your SAR process can made quicker, easier and much more cost effective.

GDPR Myths: The five most common myths

GDPR Myths: It was inevitable that once GDPR had made its grand entrance on May 25th, hearsay, speculation and scaremongering was going to dominate the headlines. Some of those stories are still circulating, however – NatWest have published an article that puts to bed 5 common myths around GDPR that all SME business owners should get clued up on.

This informative article also features a comment from our COO Julie Evans, speaking about the importance of data security in line with the new regulations.

Read More: exo.nr/GDPRmyths

 

Doctor! Doctor! I have a SAR – How Long is the Waiting List?

 

A First-Hand Account of the Problematic Role of SARs Processing.

It’s widely known that resources within the NHS are stretched. So what happens when an institution that is already buckling under the pressure receives a consistently large volume of SARs with tight delivery deadlines? Now that they’re free of charge for the public to request following the introduction of the GDPR mandate in May, it’s not just the NHS who are struggling to manage the pressure of the increased quantity of SARs. Even large organisations with chunkier department budgets are struggling to maintain their current pace of responding to SARs. However, at Exonar, we believe we have a solution that will dramatically reduce human effort in processing SARs, easing the pressure on admin staff across the globe, in any sector.


To highlight the need for more system automation, we spoke to a former NHS employee who shared their insights in regards to processing requests in a recent exclusive interview with Exonar’s Head of Marketing, Dan Welberry. The following points were discussed during the interview;

  • Why do the public need access to their data?
  • The SAR process
  • Privacy and sensitivity of data handled
  • Issues of processing SARs within the NHS
  • Size and scale of requests
  • Turnaround deadlines
  • What would make SARs handling easier?

 

Why Do the Public Need Access to their Data?

‘Within the NHS, a subject access request is usually raised for one of two main reasons;

  • A patient who requires proof of a case for funding purposes.
  • A family member trying to bring probate to conclusion on behalf of the deceased.’

The Process:

‘Before any request for information is considered, the following steps must be taken:

Image source: Black Country Partnership NHS Trust; Subject Access Request Procedure

http://www.bcpft.nhs.uk/documents/policies/i/1623-information-sharing-sop-03-subject-access-request/file

 

Since the GDPR mandate was introduced on May 25th, there are now no fees charged to the public for processing SARs.


Privacy, Confidentiality and Sensitivity of Data Handled
Whenever assessing a case, the privacy of the individual has always been the most important thing to me. If there was any information required that couldn’t be provided, the request would be declined and I would want to be sure that all the right documents were in place before any records were retrieved. There was always a need to also consider the content with discretion too. There may well be a case where the requested content could contain very private information – information that actually might not be helpful or upsetting to the family and therefore could perhaps be withheld or redacted. Where historical records were requested, there was also a case for reviewing the language used. What might have been appropriate to say a number of years ago may not now be so politically correct today – this too would have to be reviewed.’

 

Issues With Processing SARs Within the NHS

  • Lack of system automation: One of the biggest issues faced was the amount of manual work required to fulfil a request. I believe this is a huge challenge for the NHS going forward as they simply don’t have the capacity to cope now, let alone handle the anticipated increase after the introduction of the GDPR in May, 2018. Where redaction was required to hide any information, this would be done manually using a black felt tip pen which was massively time-consuming in itself.’
  • Paper to Digital: ‘Prior to 2007, all records held by the NHS were on paper and from 2007 to date it’s probably around 50/50 – paper/electronic. All paper records were therefore required to be scanned. Any Post-It Notes or other attached notes would also need to be scanned without obscuring any content underneath’.  
  • Illegible Doctors’ Handwriting: ‘Covering notes present their own set of challenges, particularly when trying to decipher a Doctor’s handwriting!’
  • Single Sided Responses: ‘Any documents sent out as part of a response couldn’t be double-sided, so single pages only added to the amount of documentation to be issued.’

 

SAR Size and Scale

‘To give you an idea of the scale of typical requests, I believe the following to be a fair assessment:

 

Turnaround Deadlines:

When considering the delivery time, you have to take into account a number of factors. Firstly, an FOI must be completed in 20 working days and a SAR will be one month to collate after GDPR is introduced on May 25th (previously 40 days). Crucially, a SAR demanding one month lead time means that all weekends and public holidays are included in the time allowance. Whilst the work is being undertaken, all cases must remain on the premises and locked away when not being reviewed. This can result in a fair amount of late nights which of course can be counterproductive when you really need to be very alert.

It’s my opinion that the ICO (Information Commissioner’s Office) provide very little support other than the information provided on their website. This in itself can be challenging as it’s written in a very ‘legal’ way, so it can often feel like taking guidance rather than knowing confidently that you are delivering what’s required. I recall when I started that very little training was given other than a quick run-through of some legislation. This worried me as I soon realised how forceful lawyers and the general public can be!’

 

What Would Make the SAR Process Easier Within the NHS?

During my time at the NHS, I often thought about how much easier the whole process would be with technology. I accept that the manual process of scanning would still be required, but the reading and redaction process could be completed in a fraction of the time. Consider these further issues once the collation process is complete – all impacting further on time and resources:

  • The office printer being out-of-use or out of ink due to the amount of pages being printed and delaying colleagues.
  • The need to use courier services to deliver vast amounts of paperwork.
  • The need to package up various parcels to be sent via recorded delivery.
  • The need to compress files where documents can be sent via email.
  • The need to send out multiple emails due to the amount of data being sent.
  • Formats and file types that can be read by the user as well as platform compatibility ie Mac v PC.
  • Secondment of staff to achieve delivery deadlines.
  • FOI requests delayed whilst SARs take priority.

 

Having watched a product demo, it’s my belief that the NHS and central government would benefit hugely from the Exonar software. I know that from my experience, it would have made my life in SARs delivery so much easier! The initial outlay to install the platform in Trusts across the UK would save the NHS an untold fortune, and it’s here where I believe that Exonar would provide the most value. If SARs can be produced in minutes, not days, this will significantly speed up processes, release some of the burden currently weighing heavily on the NHS and centralise patient documents, allowing for better data security. I can’t think of a single reason why the NHS shouldn’t invest in Exonar – to me, a former data handler on the front line, it’s a no-brainer!’

 

Do you work in an industry that is buckling under the pressure of SAR requests? We’d love to hear from you. Please reTweet this blog using #SARWars and tell us all about your Subject Access Request woes!

 

 

 

What’s New at Exonar

New Enterprise Information Management Tools for Your Organisation

Whether your core concerns are information management, governance, risk or security, we now provide access to the tools needed to start getting your unstructured data under control and protecting your most important information.

In order to benchmark themselves organisations undertake a data discovery audit to understand what information they have, where it is and who has access to it. Exonar.com now provides these stats and sample reports as well as a free trial of the Exonar platform to enable you to understand your own organisation’s data and how it compares with the average.

Announcing Intelligent Classification to Protect Your information

How do you know what to protect? How do you know which information you should care about? How do you find it? As the volume and variety of information continues to grow, where we store it continues to diversify and the regulations governing how we use it become more onerous, answering these questions is at the forefront for leading organisations

At Exonar, we’re launching Intelligent Classification to tackle this problem. Intelligent Classification uses machine learning to automatically categorise information by sensitivity, or any other characteristic you determine. It recognises the common themes, language and characteristics of information in a particular category (such as documents only accessible to HR, or documents with the protective marking ‘secret’) and classifies existing and new documents on the fly.

We began working on this problem nearly three years ago, having realised that identifying important information lies at the core of any successful information security, risk or governance programme; if you can identify important and interesting information, the task of better organising, protecting and using it becomes much simpler.

This technology is the culmination of research we have undertaken alongside the University of Reading and co-funded by Innovate UK. We think it is an incredibly important step to enabling you to understand, organise and protect your organisation’s information. We’d love to hear from you if you’d like to try it on your data, whether as a standalone discovery, classification or data loss prevention project. See our 1 minute video on how it works or register for our free trial.

See us at the RANT conference

We can also announce that we will be attending the RANT conference in London next month as part of their Start Up section. We would be delighted to see both familiar and new faces at the event, being held at  200 Aldersgate, St Paul’s, London, EC1A 4HD on the 3rd November. To sign up visit rantconference.co.uk where we will be demonstrating our ability to make your information better organised, de-risked and more productive.