GDPR and the Data Mavericks

In a world where data has become both a driver for decisions and a measure of power for the people who hold it, the Data Mavericks have become a risk that the introduction of GDPR will force many organisations to address. Information held in a silo outside the organisations collective responsibility will make it difficult for the organisation to demonstrate its commitment to compliance.

What is a Data Maverick?

 “Maverick – A person who shows independence of thought and action, especially by refusing to adhere to the policies of a group he or she belongs to”. (Source: freedom dictionary)

In 2011 SAS Institute developed this definition further in their Information Evolution Model and defined the effects of Mavericks in relation to organisations and their data.

 “limitations arise largely from the natural self-interests of information mavericks, who often leverage information to their own personal benefit. Individuals flourish at the expense of the organization.” (Source: SAS Information Evolution Model, SAS Institute 2011)

The Data Mavericks in our organisations in many cases are represented by those people that have the information to answer a difficult question nobody else could. They know where to find that missing piece of information that we needed to complete a project but won’t share how they got it. Many were the people when management needed a specific report that we could go to and from some magical place were able to come up with the answer.

In small, medium and many large organisations historically they have been indispensable in providing a service which for many of us who were too busy on more important things were able to avail ourselves of. Unfortunately, in the world of GDPR they will now become a risk that we cannot be too busy to ignore.

An example of Data Mavericks gone mad…

Not too long ago I participated in a project with a large Energy company that was developing a new company wide Data Warehouse. As a part of the project we needed to identify all the source systems that corporate data should be incorporated from. 

As we audited the different information stores we identified for a company employing 4000 people that they held 33,000 access databases, 25,000 of which were still being updated and 300 of which were being used for mission critical reporting.

How will this affect me under GDPR?

Data held by Data Mavericks in an organisation is in many cases outside of the normal data governance policies of the organisation sometimes simply because we don’t know about it. By implication that makes it hard to answer simple questions that we can and probably will be asked under the GDPR requirements by a customer;

• Where is my data held?
• What are you using it for?
• What data are you holding?
• How long have you had it?
• Is it secure?

AND

·     I would like you to transfer my data to …

·     I would like to see a copy of my data that you are holding.

All of which are simple questions and requests that could and probably will be asked in the first six months by at least one of the people whose data we are holding. Potentially exposing us to penalties if not some reputational damage.       

Under GDPR we are among other things responsible for obtaining permission for the data, securing the data, conducting data privacy impact assessments, transferring data, providing data audits and removing the data on request. All of which requires us to be able to identify whose data is held where and for what purpose. Data Mavericks in our organisation can compromise all the great steps we took putting in place our governance policies and processes to manage our risk around GDPR and ensure it was minimised and we were compliant.

Now our Data Maverick has become an Operational Risk!

What strategies can we use to combat the Data Maverick?

The bad news is we can’t combat the Data Mavericks we need to bring them into the fold. Try and fight them or force them to comply and they will become more secretive and more protective of the power they hold and the data that they parcel out.

Any change that democratizes information and standardizes it across the department will naturally be perceived as a threat to the power mavericks have built up. It is imperative to persuade information mavericks of the benefits of evolution, because it won’t succeed without their buy-in. (Source: SAS Information Evolution Model, SAS Institute 2011)

To bring them into the fold we will have to come back to the 4 core basics

People – will these people play on a team, despite their skills and their importance can we make them part of the larger organisation and contributors in a way that both they and the organisation benefits from?

Process – Do we have the governance and policies in place to protect us now and in the future, should we accidently hire another one yet to give them the freedom to do what they do best but encompassed within the policies that avoid our risk?

Infrastructure – Is the technology that underpins our governance and processes good enough to manage the data held by our current Data Mavericks and to identify any new ones and manage them?

Culture – As an organisation have we successfully communicated the value that the data we hold has? Do organisations and people dealing with us believe that we hold the data we do in trust and for their benefit as much as for ours?

Summary

The above is not intended to be a silver bullet on how to deal with the issue of Data Mavericks but to highlight what will be a very real problem in complying with GDPR. Most organisations will successfully navigate through the compliance process for the requirements of GDPR. Where many organisations will struggle and real risk lies is in what they do not know about the people and data within their own systems.

By the nature of people and the society we live in we will try and test the boundaries of GDPR, as organisations we should accept that as a given. But we should understand and plan for the things currently outside our control.

About the Author

Neil Currie is one of the founders of QFire Software (www.qfiresoftware.com) and an Independent Data Management consultant based in the UK.

QFire delivers a data cleansing and management product for dealing with inaccurate data under GDPR and an event processing engine for managing the compliance aspects of incoming, outgoing and master data permissions and audit.