Skip to main content

Data migration as an enabler for privacy by design

Data migration roundtable in focus: Part 2

During the recent Experian Data Quality Data Migration roundtable workshop, one of the charity attendees raised an interesting point that I had never heard in a data migration context before relating to data protection and data privacy ‘by design’.

The question focused on to what extent data migration could help support, and indeed enforce, the push for greater data protection compliance in our organisations.

We didn’t get chance to cover this in-depth so I wanted to pick it up in this post and provide a more detailed response of how I see data migration techniques and technology in the broader data protection story.

First, some background

Last year the charity sector came under intense scrutiny from both the Information Commissioners Office (ICO) and the media after it emerged a number of charities were selling personal data to a large number of 3rd parties. It was alleged that personal data was inevitably falling into the hands of rogue scammers with significant sums of money being fraudulently obtained in some cases.

The issue of ethics was raised during this time as pictures of pensioners homes were shown, filled with boxes of correspondence from charity organisations requesting donations.

Now, it’s clear that data migration alone can’t prevent a company selling on personal data, this is a management decision after all. But with data protection laws demanding a greater focus on data governance within organisations, how can data migration projects play their part?

Some clues come from the ICO website1 and their position on privacy by design:

“The ICO encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:
1. Building new IT systems for storing or accessing personal data;

2. Developing legislation, policy or strategies that have privacy implications;

3. Embarking on a data sharing initiative; or

4. Using data for new purposes.

We would like to see more organisations integrating core privacy considerations into existing project management and risk management methodologies and policies.”

In the context of data migration, it’s clear that all of these points, especially 1, 3, and 4, are all relevant.

The benefit of applying privacy by design during the data migration stage of course is that you are perfectly placed to influence the design and architecture of the target system. As the ICO points out there are a number of additional benefits:

  • Potential problems are identified at an early stage, when addressing them will often be simpler and less costly
  • Increased awareness of privacy and data protection across an organisation
  • Organisations are more likely to meet their legal obligations and less likely to breach the Data Protection Act
  • Actions are less likely to be privacy intrusive and have a negative impact on individuals

Central to the recommended approach laid down by the ICO is the need for a ‘Privacy Impact Assessment’1 or PIA but what exactly does this mean? Over to the ICO again:

“[a PIA] is a process which helps an organisation to identify and reduce the privacy risks of a project. An effective PIA will be used throughout the development and implementation of a project, using existing project management processes.
A PIA enables an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved.”

In the context of a PIA, I believe this fits neatly into my approach for a ‘Pre-Migration Impact Assessment’ or PMIA (with a nice overlap in acronyms as well!) which we discussed in my last post on the blog.

The reason I believe these two initiatives together is found in the ICO Code of Practice for PIA which explains the steps of a PIA process:

  1. Identify the need for a PIA
  2. Describe the information flows
  3. Identify the privacy and related risks
  4. Identify and evaluate the privacy solutions
  5. Sign off and record the PIA outcomes
  6. Integrate the outcomes into the project plan
  7. Consult with internal and external stakeholders as needed throughout the process

I’ve highlighted several of the points above because they align perfectly with the Pre-Migration Impact Assessment approach I recommend companies follow on every migration namely:

  • During the PMIA one of your main activities is discovering information flows. This is done through functional analysis (i.e. asking the users what they do with data) and also relationship discovery (i.e. using advanced technology to discover how information flows around the organisation in support of business functions).
  • The PMIA exposes risks and misplaced assumptions that can be easily extended to incorporate privacy and data protection requirements of PIA.
  • The PMIA helps you discover problems at the outset so you can begin early prototyping of solutions, these can of course include privacy requirements such as anonymisation, encryption and data sharing policies for the migration and subsequent go-live strategy

But what happens after the migration?

In 2014 I spoke to Data Protection and Data Quality/Governance expert Daragh O Brien who shared some insights to this.

In my interview, Daragh outlined some of the progressive steps early adopters of the revised data protection laws were taking. He identified these key activities that some companies were taking after being driven by a greater demand for proactive risk-management:

  • Change the culture and mindset about data and data privacy
  • Implement a data governance framework for personal data
  • Develop KPI metrics to help track potential data protection issues
  • Look at IT systems and infrastructure to determine how to apply the “right to be forgotten” or meet the needs of the right to data portability
  • Look at your interaction with the customer in terms of how they communicate purposes for processing of data to make sure the customer is better able to give informed consent, or seeking to confirm other lawful processing conditions for data

This need for ongoing governance is further emphasised by Daragh outlining the framework for GDPR (General Data Protection Regulation)3 and where data governance and data quality play a role.

There is a great section in that article that states:

“The Governance and Quality focus in the Regulation is evidenced by the semi-mandatory DPO function, the emphasis on documentation of processing (which supports the transparency and accountability principles), and the emphasis on the need for processing and controls to be supported by evidence of their effectiveness.”
- Daragh O Brien

Within the context of ‘Data Privacy by Design’1 comes a clear need to enforce far greater data governance and data quality controls and data migration best practice can help here because the answer to this problem is staring you in the face - it’s at the heart of your data migration strategy.

Why? Because every data migration project should build data quality management controls into the project so that when the migration terminates, you have a ready-made data quality/governance framework in place.

Why scrap that investment with so many demands for data protection and data governance in the pipeline from a variety of regulatory pressures?

Anyone present at the roundtable would remember that I talked (okay, preached!) about the need to not only build a data quality management capability during your data migration but to keep it going post-migration. The big mistake organisations make is to terminate the data quality management capability following the migration.

Data quality rules management is at the heart of modern methodologies for data migration such as the Practical Data Migration - PDMv2 (Ed - of which Experian Data Quality are now certified).

Without data quality management, your migration is likely fail or suffer serious delays and limited success.

Killing off your migration data quality capability is a wasteful, reactive decision to take - please don’t do it!

Incidentally, if your organisation is in the process of doing this, get them to watch my webinar playback of ‘How to create a post-migration data quality launchpad’ which goes into detail about the benefits and techniques involved.

It is the ability to continue your data quality management capability, and indeed grow it, where the connection with data protection by design can be made.

Following the migration you will have (if you’ve followed the correct methodology):

  • Accurate metadata and data lineage information
  • Robust data quality rules specifications for the target environment and connected systems
  • Comprehensive business function models and documentation
  • Stakeholder maps and designed stewardship approval
  • Clearly assigned senior sponsors
  • Data quality dashboards and automated monitoring

Why would you throw that investment away?

It simply doesn’t make sense because without data quality controls the information will simply degrade over the ensuing years.

With the continued push for greater data protection laws, irrespective of sector, every organisation can now leverage the requirement for greater governance and quality of data by first of all implementing a robust data quality framework during their migration and then perpetuating that platform.

This data quality and governance capability not only assures compliance of data privacy and protection rulings but it makes sound business sense.

Improved and well managed data quality guarantees faster lead times, reductions in customer complaints, more efficient processing and more effective workers.

And now, you even have a more compelling argument - the regular strongly advises it! Which leader would openly flout the recommended course of action from a regulator who is only getting tougher and tougher on inaction.

But what do you think? Are you applying privacy by design already? Does it have a role in the data migration process? Please share your views below.

Resources:

1 ICO - Privacy by Design

2 ICO - PIA Code of Practice

3 One Slide Summary of the GDPR

Copyright ©, 2014-2017. All rights reserved.

Experian Ltd is authorised and regulated by the Financial Conduct Authority. Experian Ltd is registered in England and Wales under company registration number 653331.
Registered office address: The Sir John Peace Building, Experian Way, NG2 Business Park, Nottingham NG80 1ZZ.