From Asset to Impact - Presentation to ICS Data Protection Conference 2011


Published on

This is a presentation I delivered to the Irish Computer Society Data Protection Conference in February 2011 and again on a webinar for in March 2011.

It looks (for what I believe was the first time) at the relationship between Information Quality and Data Governance principles and practices and the objectives of Data Protection/Privacy compliance. it includes my first version of the mapping of the 8 Data Protection principles to the POSMAD Information Life Cycle referred to by McGilvray and others in the IQ/DQ fields.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • While the Bloor Research study was looking at planning for data migrations, the fact that only 1 in 10 companies who responded to the survey had done any data profiling as part of planning their data migrations is a statistic that backs up the anecdotal stories from Risk Management consultants that the biggest problem in Risk Audits or Risk Reviews is that people don’t have information to make informed decisions, and for the information they do have, they are not always in a position to stand over the accuracy of it.
  • From Asset to Impact - Presentation to ICS Data Protection Conference 2011

    1. 1. Designing Quality In Applying Information Quality Principles to Data Protection
    2. 2. You cannot inspect quality into the product; it is already there. W. Edwards Deming
    3. 3. Some Theory….
    4. 4. A Case Study…
    5. 5. Lessons learned…
    6. 6. In less than 60 mins… (including Q&A)
    7. 7. Some Theory….
    8. 8. Peter Drucker “So far, for 50 years, the information revolution has centered on data - their collection, storage, transmission, analysis, and presentation. It has centered on the "T" in IT. The next information revolution asks, what is the MEANING of information, and what is its PURPOSE?”
    9. 9. Technology is just a tool.
    10. 10. Data Protection Rules 1. Personal data which is being processed must be fairly obtained and processed 2. Personal Data shall be kept accurate and complete and, where necessary, kept up to date 3. Personal Data shall be obtained for a Specified and Lawful Purpose 4. Personal Data shall not be processed in a manner incompatible with the specified purpose.
    11. 11. Data Protection Rules 5. Data processed must be adequate, relevant and not excessive 6. Personal data should not be kept for longer than necessary for the specified purpose or purposes 7. Personal Data should be kept Safe & Secure 8. Data Subjects have a right of Access.
    12. 12. Nominated REsponsibility Legislation requires a nominated “Data Protection Officer” to exist in organisations
    13. 13. Linking to Data Quality EU Directive 95/46/EC defines “Data Protection” principles as “Data Quality Principles”.
    14. 14. What is “Information Quality”? The degree to which information and data can be a trusted source for any or all required uses. The degree to which data and information meets the specific needs of specific customers. Consistently meeting or exceeding knowledge worker/end customer expectations.
    15. 15. Data Quality Characteristics
    16. 16. Information Chains Information Flow Some Output Some Input Some Output Some Action Some Action Some Action By someone By someone By someone That becomes an Input That becomes an Input Some Output
    17. 17. Who are they doing it for?
    18. 18. When are they doing it? are they stopped from doing it? are they finished doing it? do they start doing it again?
    19. 19. What do they need to do it?
    20. 20. do IT systems need to interact? How does this get done? is technology deployed to support?
    21. 21. Why are we doing this?
    22. 22. If you can't describe what you are doing as a process... ... You don’t know what you are doing. W. Edwards Deming
    23. 23. THIS IS NOT A PROCESS Map or Info Chain Description • • • • • • We do this. Then Martin in Accounts does that. Then Betty in Receivables does this other thing Then it comes back to us Then something else happens. 4th Thursday of month the Jaberwock audits.
    24. 24. If I had wanted to know what you did on your holidays, I’d have asked . Process Improvement Lead, Telco industry
    25. 25. The Info Asset Life Cycle Plan What resource do we need? What do we need it for? What attributes/characteristics should this resource have? Are we prepared for this resource? Obtain How will we get this resource? Where will we get it? Store/ Share How will we accommodate/store this resource? How (if necessary) will it be shared amongst functions in the business? Maintain Apply Dispose How will we maintain and develop this resource to ensure maximum utility and value? How will we use this resource? How will the resource be used to generate net cash inflows or support the delivery of services? How will we reduce our volumes of this asset when it no longer serves a valuable purpose? What conditions will indicate that an asset is no longer serving a valuable purpose?
    26. 26. Data Quality Characteristics
    27. 27. Metrics &Measurement Statistical Process Control Scorecards From
    28. 28. Only 1 in 10 companies performed some form of data profiling on their datasets, affecting risk assessment on data migrations and other initiatives. Source: Bloor Research 2007
    29. 29. Summary (of Theory) Data Protection & Information Quality are closely linked disciplines Understanding your Processes is key Quality has to be built in Inspecting defects out is not Quality POSMAD Information Life Cycle gives context You can measure Quality of Information (across many characteristics)
    30. 30. A Case Study…
    31. 31. Disclaimer: The case study described here is a composite of a number of projects that I have either worked on directly or studied in direct contact with the project sponsors and project managers involved. This has been done to preserve anonymity of the organisation(s) involved Not all the projects were “Data Protection” focussed. However the application of Information Quality and Data Governance best practices resulted in opportunities for Data Protection supports being identified and seized. .
    32. 32. The Project I’ve got a cunning plan.
    33. 33. The Project • • • • • • Sales Force Automation. Single View of Customer Master Data Management “e-Nable” traditional paperbased processes Outsource some Call Centre/Field Sales operations E-billing for customers
    34. 34. Wanted
    35. 35. Got
    36. 36. The First Mistake Focus on IT Architecture and systems infrastructure Process Definition & Data Quality issues “descoped” Plans became based on “Systems” Project teams became siloed Focus on “Data Subject” lost
    37. 37. Second Mistake Key information wasn’t available in the right format for certain processes
    38. 38. Couldn’t handle Consumer customer with >1 billing account. Interim Solution: Needed “Customer Name” as <title><firstname><lastname> Interim Solution: All customer names in Single View of Customer database parsed using an MS Access Database on a laptop each week
    39. 39. Third Mistake Personal Data was being captured that wasn’t actually being used anywhere or whose use was unclear
    40. 40. First name Last name Address 1 Address 2 Address 3 Address 4 PPSN Age Gender Junk Mail Bank A/C details/Credit Card Yes/No Acct Number Branch Code Credit Card Number Contact Telephone Mother’s Maiden Name Details of any Medical Conditions Household Demographics Services you are interested in Marital Status Married Single Separated Divorced Cohabiting Number of Children Partner’s Name Service 1 Service 2 Service 3 Service 4 Mock up of the paper form that had historically been used
    41. 41. Why Spock? Why?
    42. 42. Basic design also used in Call Centre and for on-line self service sign up (write once, use often)
    43. 43. Fourth mistake Junk Mail: Yes/No Assumption: No means No?
    44. 44. Fifth Mistake Incentivisation: Performance related pay tied to % of fields POPULATED
    45. 45. Sixth Mistake Outsource Contract No contract terms re: • Data Protection • Data Quality
    46. 46. Plan Processes were mapped Timing of data needs identified Relevance of Data was documented Critical Quality Measures picked Meaning of Data clearly defined Purpose of Data clearly understood
    47. 47. Obtain Customer inputs data Customer data Output Log Expression of Interest Call Centre Customer Acquisition Decision Review Customer Request Complete Additional Data Sales Team Customer on-line On-line Self Service Call Centre & Web forms redesigned Unused data removed from forms Timing of questions was changed
    48. 48. The down stream processes were age-sensitive. Just capturing AGE at a point in time meant customer services could not be delivered reliably
    49. 49. Maintain Key metrics defined for Information Processes defined for Maintaining data … by the customer (self service) … by the organisation … in response to leading indicators
    50. 50. Data Quality Characteristics
    51. 51. Maintain Manual Data? Define characteristics to be measured Random sample of files (Poisson Distribution)
    52. 52. Simples
    53. 53. Maintain Measured performance of Process Completeness Currency (age of data) Consistency
    54. 54. Store/Share Outsourcing contract was renegotiated Clear expectations set Duties & Obligations Security/Privacy Process standards Data Quality
    55. 55. Store/Share Controls implemented over “End User Computing” Use and purpose informed future development roadmap
    56. 56. Apply By understanding “HOW” data was used, and where...
    57. 57. Apply • Right Data to Right place at Right time for Right Reason • Right Risk Assessment, Right Security, Right controls. • Less cost of rework and worry
    58. 58. Disposal/Destruction Metrics Average Age (of data) Average Time since last update/access Actions Business Case Support Retention Policy
    59. 59. Lessons learned…
    60. 60. Technology is just a tool.
    61. 61. Information Value Chains are the Missing Link A.K.A. Processes A.K.A. “CyCles” A.K.A. SIPOC A.K.A. Workflow If you can't describe what you are doing as a process... ... you don’t know what you are doing.
    62. 62. Information has a life cycle. That life cycle gives important CONTEXT
    63. 63. From Process & Context = Meaning & Purpose
    64. 64. Information has attributes you can measure... Measurement can support Controls and Policies Metrics can support Change Management goals
    65. 65. What is measured gets done.
    66. 66. Perspective is important... The Project did not set out to address Data Protection per se. But deliverables supported proactive Data Protection Management
    67. 67. Sustaining the change is the Big Challenge
    68. 68. Data Protection often sold on FEAR
    69. 69. How can you feed the GREED motive?
    70. 70. What is your Data Protection Scorecard? How does it translate to your bottom line?