“…there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know…”
U.S. Defence Secretary Donald Rumsfeld – February 12, 2002
The quote above, taken from a press conference run by the American Defence secretary, has now entered management-speak as the archetypal example of an inelegant and ham-fisted explanation.
However, Rumsfeld’s statement is interesting, not so much for what he says but for what he doesn’t.
Reading the quote carefully, you can see that he has omitted the ‘unknown knowns’ – those are the things you don’t know you know.
Knowing what you know is important as it governs your future behaviour. Knowing you have a manual for your car means you only go to the mechanic for problems that aren’t covered. Knowing you have access to recipe books in your house means you know you can cook a range of dishes.
From my experience in GDPR consulting, one of the biggest problems I’ve found is that businesses don’t know what they know. They don’t know what data they have, where it’s located, who has access to it or even how long they’ve had the data for.
Knowing what you know is critical.
- Knowing what data you have drives your data retention schedule
- Knowing where your data is drives your Subject Access Request process;
- Knowing who has access to your data drives your User Access controls.
In short, businesses could do worse than to carry out an Information Audit and produce from that an Information Asset Register (IAR). Put simply, an IAR is a list of the data sets you have (whether paper or electronic) and key details about them, such as which department holds the data, why they have it and where it is located.
As you trawl through the data holdings you have and add to the IAR, you should start to ask yourself questions about what you find such as ‘do we really need this?’, ‘is it being held securely?’ and ‘should the people who can access this data be allowed to do so?’.
The answers to these questions, drive the further actions you need to carry out to adhere to the new Data Protection legislation that enshrines GDPR.
The form of the register doesn’t have to be complicated. While a lot of companies will try to sell you fantastic IT systems to manage IARs, for a lot of businesses, especially SMEs, you can get away with something no more sophisticated that an Excel spreadsheet.
A good example I found comes from the Information Commissioner on the Isle of Man – https://bit.ly/2xSrp1h although they call it a Persona Data Inventory.
The layout is nicely structured, holds the key features for any data set and can be easily completed by whoever is carrying out the audit.
In one example, a company I supplied GDPR consultancy to, carried out an Information Audit and soon found multiple spreadsheets holding personal data for marketing purposes spread over a dozen PCs in the business. No-one knew what spreadsheet(s) contained the current data (assuming any of the data was current at all), with members of the Marketing team not even knowing colleagues held their own differing marketing lists.
As a result, new procedures were brought in to aggregate the marketing data into a single source, clean the data (removing out of date information) and then establish a common way of adding to it based on data subjects’ consent. Without an Information Audit, be assured they would still be working from disparate and probably inaccurate information.
As the saying goes ‘the longest journey begins with a single step’. However, to get to any location, you always need to know where you’re starting from.