During the recent Experian Data Quality Data Migration roundtable workshop, one of the charity attendees raised an interesting point that I had never heard in a data migration context before relating to data protection and data privacy ‘by design’.
The question focused on to what extent data migration could help support, and indeed enforce, the push for greater data protection compliance in our organisations.
We didn’t get chance to cover this in-depth so I wanted to pick it up in this post and provide a more detailed response of how I see data migration techniques and technology in the broader data protection story.
Last year the charity sector came under intense scrutiny from both the Information Commissioners Office (ICO) and the media after it emerged a number of charities were selling personal data to a large number of 3rd parties. It was alleged that personal data was inevitably falling into the hands of rogue scammers with significant sums of money being fraudulently obtained in some cases.
The issue of ethics was raised during this time as pictures of pensioners homes were shown, filled with boxes of correspondence from charity organisations requesting donations.
Now, it’s clear that data migration alone can’t prevent a company selling on personal data, this is a management decision after all. But with data protection laws demanding a greater focus on data governance within organisations, how can data migration projects play their part?
Some clues come from the ICO website1 and their position on privacy by design:
“The ICO encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:
1. Building new IT systems for storing or accessing personal data;
2. Developing legislation, policy or strategies that have privacy implications;3. Embarking on a data sharing initiative; or
4. Using data for new purposes.
We would like to see more organisations integrating core privacy considerations into existing project management and risk management methodologies and policies.”
In the context of data migration, it’s clear that all of these points, especially 1, 3, and 4, are all relevant.
The benefit of applying privacy by design during the data migration stage of course is that you are perfectly placed to influence the design and architecture of the target system. As the ICO points out there are a number of additional benefits:
Central to the recommended approach laid down by the ICO is the need for a ‘Privacy Impact Assessment’1 or PIA but what exactly does this mean? Over to the ICO again:
“[a PIA] is a process which helps an organisation to identify and reduce the privacy risks of a project. An effective PIA will be used throughout the development and implementation of a project, using existing project management processes.
A PIA enables an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved.”
In the context of a PIA, I believe this fits neatly into my approach for a ‘Pre-Migration Impact Assessment’ or PMIA (with a nice overlap in acronyms as well!) which we discussed in my last post on the blog.
The reason I believe these two initiatives together is found in the ICO Code of Practice for PIA which explains the steps of a PIA process:
I’ve highlighted several of the points above because they align perfectly with the Pre-Migration Impact Assessment approach I recommend companies follow on every migration namely:
In 2014 I spoke to Data Protection and Data Quality/Governance expert Daragh O Brien who shared some insights to this.
In my interview, Daragh outlined some of the progressive steps early adopters of the revised data protection laws were taking. He identified these key activities that some companies were taking after being driven by a greater demand for proactive risk-management:
This need for ongoing governance is further emphasised by Daragh outlining the framework for GDPR (General Data Protection Regulation)3 and where data governance and data quality play a role.
There is a great section in that article that states:
“The Governance and Quality focus in the Regulation is evidenced by the semi-mandatory DPO function, the emphasis on documentation of processing (which supports the transparency and accountability principles), and the emphasis on the need for processing and controls to be supported by evidence of their effectiveness.”
- Daragh O Brien
Within the context of ‘Data Privacy by Design’1 comes a clear need to enforce far greater data governance and data quality controls and data migration best practice can help here because the answer to this problem is staring you in the face - it’s at the heart of your data migration strategy.
Why? Because every data migration project should build data quality management controls into the project so that when the migration terminates, you have a ready-made data quality/governance framework in place.
Why scrap that investment with so many demands for data protection and data governance in the pipeline from a variety of regulatory pressures?
Anyone present at the roundtable would remember that I talked (okay, preached!) about the need to not only build a data quality management capability during your data migration but to keep it going post-migration. The big mistake organisations make is to terminate the data quality management capability following the migration.
Data quality rules management is at the heart of modern methodologies for data migration such as the Practical Data Migration - PDMv2 (Ed - of which Experian Data Quality are now certified).
Without data quality management, your migration is likely fail or suffer serious delays and limited success.
Incidentally, if your organisation is in the process of doing this, get them to watch my webinar playback of ‘How to create a post-migration data quality launchpad’ which goes into detail about the benefits and techniques involved.
It is the ability to continue your data quality management capability, and indeed grow it, where the connection with data protection by design can be made.
Following the migration you will have (if you’ve followed the correct methodology):
It simply doesn’t make sense because without data quality controls the information will simply degrade over the ensuing years.
With the continued push for greater data protection laws, irrespective of sector, every organisation can now leverage the requirement for greater governance and quality of data by first of all implementing a robust data quality framework during their migration and then perpetuating that platform.
This data quality and governance capability not only assures compliance of data privacy and protection rulings but it makes sound business sense.
Improved and well managed data quality guarantees faster lead times, reductions in customer complaints, more efficient processing and more effective workers.
And now, you even have a more compelling argument - the regular strongly advises it! Which leader would openly flout the recommended course of action from a regulator who is only getting tougher and tougher on inaction.
But what do you think? Are you applying privacy by design already? Does it have a role in the data migration process? Please share your views below.