For some, Cyber Security is a job, a business function necessary for the continued success as an organisation. And for others, perhaps those unaware of the importance of the information they are handling, Cyber Security is an inconvenience. But for the Information and Records Management Society’s volunteers and members though, Cyber Security is, in the words of its Chair Scott Sammons, “A labour of love”. With these passionate volunteers, over 1100 members, and a recently re-launched website updated for the 21st century, The IRMS engages with anyone who is involved in the management or use of information, from librarians to Information Governance Managers through to Data Protection Officers, with a range of services on offer to improve Information Management and Security processes. Having chaired the now 40 year old organisation for the past two years, Scott Sammons, who combines chairing the IRMS with a “day job” as Information Governance Strategy Lead for Essex County Council, has a myriad of experiences relating to Information and Cyber Security, experiences he shared with us as we sat down for a chat.
Working in Information Governance for almost ten years now, Scott recounted the start of his career in the field of IT, working with schools and their management systems. After having moved into Information Governance for Essex County Council, Scott then worked in the private sector for 4 years. Scott then returned to Essex County Council, with over 1.6 million residents and 8000 staff on their books, to help with the implementation of the General Data Protection Regulation on a shoestring budget.
With the looming General Data Protection Regulation (GDPR) expected to have a large impact on both private sector businesses and public sector bodies such as Essex County Council, the implementation of the regulation, in tandem with budgetary restrictions and a host of public pressured to balance is a sizeable task. Contrasting the public and private sectors, Scott emphasises the variety of functions that a county council simultaneously fulfils when compared to a private organisation, who focus on their core business functions – “Generally a business has one or two key functions, a handful maybe, but generally a few things with one goal. Everything else wraps around that”. County Councils however, have a huge role to play in the lives of their residents – libraries, health services, customer services amongst others, with a vast array of different types of information required to ensure their smooth operation. Even for organisations blessed with an abundance of resources such as money and time, ensuring the appropriate management and security of information places a strain on their information management systems, so it is perhaps not a stretch to imagine the difficulties faced by local councils already pushed to the brink by ongoing budget cuts.
Despite these issues, councils, like any other organisation faced with the implications of the GDPR, must try and find value from the regulation – Scott is adamant that in order for GDPR to work for you and your organisation, the exercise of compliance must be “more than a tick box exercise, it needs to be a behaviour and a mind-set”. Scott warns also of the dangers of desensitisation of staff to the nature of information they are handling, particularly in industries involving data from those most vulnerable – “You need to keep at the forefront of your mind that the data you are handling is dangerous – If I hand you a grenade and tell you this grenade will go off if you aren’t careful, you’ll do just that, but if I give you a file and don’t tell you it’s sensitivity, you might go about your business perfectly legitimately and not treat it with the care it deserves”. While of course, Scott is aware that human error and circumstance may get in the way regardless, with the right mind-set and understanding, these easy to make mistakes are mitigated and managed as effectively as possible.
As Chair of the IRMS, Scott works with Information Management professionals at a variety of levels in a variety of industries. We were keen to see how the community has reacted to the upcoming GDPR ahead of its implementation in May next year. Scott says that the IRMS’ events, for example this year’s annual conference in Glasgow, have seen a significant jump in non-previous attendees from a range of new organisations showing the effects of GDPR already. This, Scott notes, is a trend that the IRMS intends to capitalise on, getting as involved as possible with organisations to help dissect and understand GDPR, through events like the Cyber Security Summit and Expo and raising awareness of their work on this particularly hot topic.
One such method for the IRMS to help organisations with GDPR is in breaking down the regulation to identify and find the value within for an organisation. When asked about specific areas of GDPR that he felt warranted attention, Article 30 came into focus – the record of processing activities. While Scott accepts that it may be possible to achieve compliance through a simple word document outlining the roles and responsibilities of key figures, the potential for serious rewards in a security sense through this document is critical. “If you actually want something to work and create a regulated environment, you want a central hub of your compliance framework – something to keep it centred and manageable. I’m firmly of the opinion Article 30 is just that.” Articulating on its role as a “what have I got? Where is it? Why am I collecting it?” document for information, Scott emphasised that the document’s purpose is precisely that of the GDPR as a whole – more than just a piece of paper, something really useful in guiding an organisation’s usage of information. When applied with the right mind-set in the right way, GDPR is far more than a mere nuisance – it’s a new and creative way of managing your information. Scott finished summarising the GDPR by quoting Elizabeth Denham, saying “It’s not privacy or innovation – its privacy and innovation”.