Tag: compliance

  • The Who/What/How and Why

    Data protection and Information Quality are linked in a number of ways. At one level, the EU Directive on Data Protection (95/46/EC) describes the underlying fundamental principles of Data Protection as “Principles for Data Quality”.
    While that is great pub quiz content, it helps to be able to make some more pragmatic and practical links as well.
    On a project a while ago, I was asked to help a client ensure that certain business processes they were putting in place with a partner organisation were data protection compliant. They’d been asked to do this by the partner organisation’s lawyers.
    I leaped into action, assuming that this would be an easy few days of billable. After all, all I needed to know was what data the partner organisation needed when and why to document some recommendations for my client on how to build a transparent and compliant set of policies and procedures for data protection.

    Unfortunately the partner organisation seemed to lack an understanding of the what’s, why’s, when’s, and how’s of their data. This was perplexing as, nice and all as a blank canvas is, sometimes you need to have a sense of the landscape to draw your conclusions against.
    The engagement I had from the partner organisation was focussed on their need to be able to take certain steps if certain circumstances came to pass. While the focus on the goal was commendable, it served to generate tunnel vision on the part of the partner that put a significantly valuable project at risk.
    Goals and objectives (why) are all well and good. But Knowledge Workers need to be able to link these to processes (how) and information needs (what). Deming famously said that if you can’t describe what you are doing as a process then you don’t know what you are doing. I’d go further and say that if you can’t identify the data and information you need to do what you are doing then you can’t be doing it- at least not without massively increased costs and risks (particularly of non-compliance with regulations).
    In the end I made some assumptions about the what’s and how’s of the partner organisation’s processes in order to meet the goal that they had focussed on so narrowly.
    That enabled me to map out an approach to data protection compliance based on a “minimum necessary” principle. And that got my client and their partner over the hump.
    But, from an information quality perspective, not being able to answer the why/why/how questions means you can’t set meaningful measures of “fitness for purpose”. If you don’t know what facts are needed you don’t know if information is missing. if you don’t know what use data will be put to you can’t possibly tell if it is accurate enough.

    So, both Data Protection and Information Quality require people to know the what/why/how questions about their information to allow any meaningful outcome to ensue. If you can’t answer those questions you simply cannot be doing business.
    To paraphrase Deming – we need to work on our processes, not their outcome.