What’s GDPR I don’t hear you cry? Not another piece about impending doom and how we need to do more to comply with it, you ask? Well no, not really. Instead, a brief blog about what we have been doing internally at Tisski in the past few months about an all too common topic of conversation. Such a common topic that a friend of mine started talking to me about it at the pub a couple of weeks ago. It must have been a quiet night down the local…
As a technology supplier, more and more people are asking Tisski to demonstrate compliance with GDPR. That’s good – if I had a lengthy supply chain, I would want them to be up to date with legislative changes such as this. And this one is a biggie in the grand scheme of things. But I don’t see this as a massive change to what we have been doing. Maybe it’s because we have been pretty good to date with our internal processes and systems?
We don’t have multiple data siloes hosted in a variety of data centres. We use Dynamics (natch!) for our customer engagement and Navision (who’d have guessed that!) as our ERP. And our approach to GDPR is one where we look for opportunity, rather than a cost we need to incur to comply with. How so, I hear you ask?
We have raised awareness internally at senior levels. We have assessed the risks and identified the actions needed to mitigate these and the Board has full visibility. All staff with access to data will undertake training in GDPR well in advance of May – we work with a great partner on all aspects of GDPR, Me Learning, and it has helped us prepare our Consultants, Developers, Support Staff and Marketeers for the imminent legislation. Our staff are now better informed than they were before and will treat the data we process with more due care and attention. A massive benefit for us.
I will admit that it gave us a gentle ‘nudge’ to review the data we hold. We have reviewed the data we hold on staff and customers (past and present), plus any potential leads or opportunities we may have had over the years. Any data that doesn’t have any business value has been deleted. We haven’t tried to analyse whether or not it is “personal” or “sensitive”, we have just cleaned up our data. Granted, holding it all in two systems made this a lot easier. I do feel for those organisations that have a complex web of legacy applications to trawl through. This position of strength also means that we know how to respond to a subject access request when we get one, and we can identify data relating to an individual and destroy it/ transfer it when the need arises.
So, GDPR has given us a cleaner set of corporate data, seen us audit and review our processes and given us a better-informed team. This hasn’t come at a huge cost and hasn’t caused blind panic within the ranks. But, we aren’t naïve to the challenges that some people will face when it comes to GDPR between now and May. As a huge advocate for public services I hope that the likes of education and healthcare providers don’t get themselves into a pickle over GDPR.
But, like us at Tisski, anybody fretting about this can spin it on its head and see it as an opportunity. By consolidating your data onto a unified platform that can easily be located and accessed the risks of non-compliance can be significantly reduced. By educating your staff about the risks of data loss and misuse you will have fewer security breaches. The greatest threats to information loss and misuse are your employees, so train them. The reputational and brand damage from poor information management practices can be huge. Why would you risk all that you have built up over time?
The Information Commissioner’s Office has been proactive in raising awareness for the health sector. This is a sector with some of the most personal and sensitive data there are, publishing guidance and hosting webinars. There is more to follow. We have a number of customers in this sector and we are keen to help nullify any risks of non-compliance. There is very little that would disappoint me more than to see large fines imposed onto a health service that has done such a fantastic job for my family and millions more.
There are a host of features within Dynamics 365 that can help. These include:
• Role-based security, which allows you to group together a set of privileges that limit the tasks that can be performed by a given user applied against a specific entity/ task.
• Record-based security to manage access to specific records
• Field-level security to restrict access to specific fields, such as personally identifiable information and sensitive data such as sexuality, religion and ethnicity/race.
But whether it be to review your data structures, to help you cleanse the data you have, or to provide you with GDPR training, Tisski are here to help. Bring on May 25th 2018.