The inflation-beating cost of data protection snake-oil

External directors have the opposite problem to journalists. Under “fin de siecle capitalism” and in public sector “quangoland” they are sacrificial goats: little or no power to effect change but expected to share responsibility for failure. The time has come to butt back.

One obvious area is with regard to data protection and information governance where almost no organisation, public or private, has received value for what it has spent on legal advice and consultancy, let alone on “compliance”, over the past decade or so. But a whole army of advisors is queuing up to sell the Board (and HMG) yet more expensive snake-oil

Meanwhile the core problems are:

– no-one knows what the policy is, if there is one, let alone what it means to them

– no-one has checked its compatibility with mainstream operational practice

– no-one has exercised the disaster recovery and/or damage limitation routines

This has happened because the “experts”, all-too-often commisioned by those who can be spared rather than those concerned with operational performance or business benefit, have produced vast tomes of unreadable, legalistic, bureaucratic, gobbledeygook.

As readers of my past blogs will be aware, ISSA, have agreed to produce a guide for directors, hopefully based on updating and simplifying that produced by IAAC in the past. In the mean time material designed for Chief Information Officers (and readable by ordinary human beings) is available from the National Computing Centre and the British Computer Society. It is actually very inexpensive but you do need to go via your NCC membership contact or a BCS professional member.

While you are working out how to do that, I would suggest ten simple questions for external directors to ask themselves before the next Board meeting:

– Have you ever seen, let alone read, the organisation’s information risk (or information security, data protection or similar title), policy?

– How long did it take you to read?

– Could you understand it?

– Did it complement the mainstream business operations and help achieve the objectives of the organisation – or did it get in the way?

– Are all staff in the company informed of the policy, why it is important and what it means for them?

– Are all staff trained/assessed in their understanding of the policy and how to follow it in their day-to-day jobs?

– Do all staff (at all levels) know who to contact when faced with a problem that is not covered by the policy?

– What are the company’s routines in the event of a serious problem and when were they last tested?

– Are you content with the answers to the above?

Astute readers will realise that there are only nine questions (albeit some are multiple).

That is because the economy is in recession and most budgets will be decimated (and every tenth member of staff will be fired, unless you can slash the external spend by even more).

But a £5,000 saving has now cost HMRC well over £2.25 million, before allowing for reimbursing police and other external costs. Before you agree to any cuts in the security budget, suggest that existing staff be given a modest allowance (cost and time) to network professionally with their peers, update their skills and then present a “headlines only” business risk assessment to the board.

My speach and presentation to the ISSA pre-Christmas reception indicates some of what I personally think they will find and how you might then task them to get rather better value for money in the future.

P.S. After posting this I was reminded that I have left out by far the cheapest and most authoritative source of good advice: the Information Commisioner’s website. You will then discover that much of what you have been expensively told is unnecessary or actually wrong. I have yet to find anything that makes good business sense that is forbidden – provided you give a “plain english” explanation of what you are doing and why.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Good to see some common sense in an area full of paranoia, mis-information and mis-management. The subject has been the "Emperor's new clothes" for far too long.

But the fundamental principles behind the message haven't changed in over 20 years.... dissing all those consultants who have provided the right advice time and again isn't particularly constructive. Just as easy as knocking the government appears to be the constant ability to throw a jibe at a consultant. But there are those who are experienced, nay expert, in their field - with a breadth of knowledge that hours and hours of life have been invested in gaining. The fact that there has been a cultural divide in the understanding between management and the expertise is, in fairness, a likely fault of the language used. However, perhaps now we have reached the tipping point that allows for a wider audience to understand that language and act upon it - though clearly sadly after many a horse has bolted.

Senior management in many organisations need to look within. For years, Internal Audit report after Internal Audit report has found the SAME things that external consultants find - so why do they insist on spending money needlessly rather than listening to the internal experts? So much of this is bound in cultural misunderstandings, fiefdoms, acronyms, smoke and mirrors.

Sad but true; but we need to hold firm and maintain focus rather than dilute or diminish the strength of our collective knowledge and expertise and insist, even more strongly in being listened to and acted upon. Surely that is the challenge of a professional.