ICO Fine Highlights Spreadsheet Risk for GDPR Compliance
Recently, the UK’s Information Commissioner’s Office (ICO) fined London’s Royal Borough of Kensington & Chelsea (RBKC) £120,000 for unlawfully identifying 943 people who owned vacant properties in the borough. This data breach was made in error by a staff member of the Borough who was responding to Freedom of Information (FOI) requests on how many properties were empty in the Borough. The issue was that sensitive personal data, which was hidden to RBKC staff, was easily found by the FOI requester in a spreadsheet, placing the Borough in clear violation of the UK Data Protection Act, and its imminent successor GDPR.
This incident highlights two issues – foremost, human error in spreadsheet usage poses a high risk to any organizations’ GDPR compliance efforts, once the regulation kicks in on 25th May. In this case, the error was a result of a poor understanding on the part of users how to properly identify, manage and remove personal data.
Secondly, manually managing and monitoring GDPR-related information (that often resides in spreadsheets) effectively is challenging, if not impossible, in many organizations because of their sheer volume. The complexity of many business-critical spreadsheets, and the thousands of cells within them, means identifying, in this case, hidden data, is difficult to put it mildly.
This data breach is a stark reminder that unstructured data, which is often stored in spreadsheets and distributed across the organization, must be part of the GDPR compliance efforts, similar to the structured data that resides in core IT applications.
To ensure ‘sustainable’ compliance with the GDPR and other data protection frameworks for the foreseeable future – it’s imperative that organizations establish a management framework for structured and non-structured GDPR-relevant data so that they can be proactively managed based on the level of risk they pose to the business.
A systematic, automated approach will ensure that data is captured in accordance with the organization’s GDPR policy and provide an auditable attestation process to make GDPR compliance business-as-usual. It will also deliver organizations the capability they need to speedily meet the requests of erasure and data portability should an individual demand it. Crucially, it will minimize manual intervention and therefore human error, which can prove catastrophic when it comes to manually managing and monitoring spreadsheet environments for things like version control, changes and approvals, new data additions and attestation.
Organizations will do well to establish what Personally Identifiable Information (PII) data resides in their excel estate and then implement the necessary systems and processes for data protection in general, alongside for compliance with the GDPR. As shown in this case, it’s no longer a luxury, but a necessity.