Kellie Peters, Director of Databasix and self-proclaimed data rock star explores what has changed since GDPR came into force one year ago. Listen to her key tips to ensure compliance as well as her mantra when it comes to data protection.
Kevin: Hi everyone. Welcome to The Vault – Crown Records Management’s digital transformation podcast series. My name is Kevin Widdop – I’m the digital transformation sales lead here at Crown. On today’s episode of the show we’ve got Kellie Peters, Director of Databasix and also self-proclaimed Data Rock Star. Kellie and her team at Databasix adopt a people-focused approach to data management which aims to improve data quality and encourage ownership at a local level. Kellie, welcome to the show.
Kellie: Thank you very much for inviting me in.
The implementation of GDPR in reality
Kevin: So nearly a year on from GDPR’s adoption, what’s changed?
Kellie: To be honest, I think it’s the fact that when I go into meeting rooms with people and I talk about data protection their first reaction is, “Ah, GDPR” which is quite novel because 18 months before that people would say, “What? GDPR, what?”
So I think people have got a greater awareness of the term but not necessarily what’s involved with implementing GDPR.
Kevin: Really interesting…So last week Google was fined a record 44 million pounds – 50 million euros for ‘a lack of transparency and consent in its data collection practices that violate GDPR law’. It’s taken some time for these headline grabbing fines to come through, everyone was waiting with bated breath but is this the new norm for GDPR fines?
Kellie: I think you’ll certainly see more significant fines. I think when 25th May came last year, the belief that someone would be automatically fined was a little naive. In the summer, Facebook was only fined half a million pounds and the question was, “Well, why was that?” Well, they were still investigating previous violations of the Data Protection Act 1998.
It will be from this point on, I think, that we will see a few more higher profile GDPR complaints and fines.
But that doesn’t mean the smaller companies are not flying below the radar – it just means they’re not getting as big a fine as the headline grabbing Google fine.
What being compliant looks like
Kevin: Many of our customers and stakeholders say, “Oh GDPR, we did a load of work on that in 2017 and in the run up to the deadline last year. We are compliant”. As an expert on data what do you say to that?
Kellie: If you saw GDPR compliance as a tick box exercise, my first question would be “How are you managing it on a day to day basis?”
Because you can have policies and procedures, and look on paper as being compliant but if you were to encounter a breach or to have a subject access request, would your staff actually know how to handle that?
And if the answer to that is no, then in my opinion you are not compliant.
I don’t think anyone is ever going to be 100% compliant because the reality is, at any point in time, a fault can happen.
Key points about handling subject access requests
Kevin: Absolutely. You mentioned subject access request. So a subject access request as the ICO defines it, is where individuals have the right to access their personal data. When it comes to records management specifically, if you don’t know what’s in your boxes or if you’re not able to confirm what personal identifying data (PID) is in your email provider then you’re not compliant. Should businesses be worried?
Kellie: I think they should. I think one of the key things is really understanding where your information is because if you get a subject access request, you’ve got a very limited amount of time to respond to it. You’ve got 30 days.
If your starting point is, once you’ve qualified what the SAR is, “Where’s the information?”, 30 days is not a lot of time, if you’re a very large team with very complex systems and paper systems. I think a lot of people very much think about digital today and they forget about their paper records. They are just as much subject to the right to access from an individual whether it be an employee or a current or past customer.
So mapping your data whether it be customer, supplier, staff, is vital to be able to handle any kind of subject access request, in my opinion.
The current practice of mapping data
Kevin: Are organisations well positioned, when you talk about mapping their data? What’s the state of play out there?
Kellie: I’d say it varies from business to business. I’d say a lot of smaller businesses have not viewed data protection as something that they should be worried about, which is why the ICO in February last year did a massive campaign to raise the profile – that it is about trust, it’s about knowing your information, where it is, how to gain access to it – and it’s not just larger organisations.
So I think there’s a spread. I think there are some very large organisations that probably run on a significant number of Excel spreadsheets in various places and are just as ‘not confident’ as smaller businesses so I think it entirely depends on your approach to GDPR. Like I said, if you take an approach where you are on top of it and it’s a day to day exercise for you, you’ll know where your information is and your staff will understand where it is.
If you’ve got no clue 1) what data protection is or 2) say it’s somewhere in the Cloud, then I’d say you’ve got a long way to go and mapping your information would certainly, in my opinion, be the first place to start looking.
Defining who is responsible for GDPR
Kevin: Really interesting. So data management and mismanagement, it’s not just the preserve of one or two people within the organisation?
Kellie: No, I think you should have someone who takes leadership of it. I think you should have an Executive Board, so that someone’s got responsibility for data protection whether you’ve appointed a data protection officer or you’ve appointed a data protection lead because you don’t qualify to have a DPO but there should be someone at senior level that is reporting on any compliance related issues.
I think then if you take it down to middle management all of your heads of department should really understand what role they have to play in it. It’s not just an HR responsibility, it’s not just marketing or IT. They all have a role to play. There should be more openness about those roles and how they can work together and genuinely show accountability. I think then when you look at your staff who are actually handling the information on a day to day basis – what’s their role? They have a role to play because it will be human error that will cause you a breach in the future or is going to cause you to have inaccurate information.
So for me, it’s a top down approach but there’s also bottom up. If all your staff are genuinely accountable…I may be asking a lot for everyone to be passionate about the data that they process…but if they understand the role that they play then absolutely data protection shouldn’t be a concern for top management – because it’s an everyday exercise that they are undertaking, they understand who to talk to, who to raise an issue with and they are confident that it will be resolved.
Instilling a data protection culture
Kevin: It’s fascinating. A lot of what you’re saying speaks arguably to transformation within the business, to cultural change, dare I say it. How are businesses positioned to adopt a cultural change mindset in regards to data?
Kellie: I think that’s a really, really interesting question. My first point to anyone asking me that would be, if you were to ask your staff how they’d handle a data protection breach and they don’t know or they don’t want to put their hand up for fear of being told off or named and shamed, then you don’t have the right level of data protection culture that I would hope is instilled in companies.
In many ways it’s a case of testing…very much like a fire drill. Why wouldn’t you want to test to see where the vulnerabilities are? It’s not about pointing the finger. It’s about saying, “OK that’s gone wrong. How do we fix that? How do we learn from that? And how do we share that across the team?”
So that when something does happen, you’re on top of it. There is ownership. There is “Yes, we’ve made a mistake”. Rather than you finding out six months later that you’ve had a breach and you’re in a whole world of pain.
For me culture plays a massive part in really being able to be accountable and transparent about data protection.
The long-term impact on your bottom line
Kevin: Compliance and GDPR can sometimes be viewed as this onerous activity that businesses have to adhere to. There is a case though, isn’t there, for saying that compliance and a culture such as the one you’ve been describing shows not only that a company cares and respects their customers but arguably builds a trusting relationship. What’s your take on that?
Kellie: I couldn’t agree more. I think the question is what‘s the impact on your bottom line? If your customers and your staff lose trust in you in managing their information, what are the long-term impacts on your business?
People talk to other people and they may not buy from you in the future because you’re perceived as not being trustworthy with data. For me, my personal information is incredibly important to me so I want to treat that as fairly and honestly as I should do. So why shouldn’t I apply the same methodology to my clients’ and to my customers’ and to my staff’s information.
It is a privilege to be able to process that information and I think trust is fundamental to that – and if you lose trust you can’t quantify that in terms of value until it happens but think about what would be the hit on your bottom line because that’s what then gets people’s interest in addressing and taking forward change.
Kevin: Absolutely, finances and spreadsheets
Kellie: Don’t get me started on the subject of spreadsheets, we’ll be here for far too long!
Kevin: I won’t! Final reflections we can leave our audience with – one mantra when it comes to data protection, what would that be?
Kellie: We’re people-focused so I would make sure your staff from the very bottom all the way up to the top, very much understand the role that they play with data protection. It’s vital to your success of being compliant.
So take a people-focused approach to data protection.
Kevin: Kellie Peters, thank you so much for coming on the show.
For listeners, if you like what you’re hearing in terms of the content then please go to
The Vault, the website www.thevault.crownrms.com or subscribe on iTunes where you’ll find us by typing in “The Vault Digital Transformation”.
Thank you so much – we’ll see you next month for another episode.
Have you listened to episode one? With Dr. Nick Barratt, Director of Senate House Library at the University of London. Nick discusses the changing mind sets shaping the service that libraries deliver in a digital first age. As well as how changing how their collection is stored has led to a greater potential for the physical library space.