Excel spreadsheet vulnerability leads to KCC’s Grenfell Tower data protection verdict

We are in the final stages of counting down to the General Data Protection Regulation (GDPR), which officially comes into force on 25^th May 2018. This means that these are the final weeks for businesses to assess, implement, and amend processes to sufficiently protect any data that is collected and stored before significant penalties come in for slack information protection practices.

The important thing to remember when considering the new regulation is that thinking you are compliant and acting with good intentions is not enough to prevent prosecution. 

The council was responding to a freedom of information request by journalists following the Grenfell Tower fire, which tragically took the lives of 71 people in June 2017. In essence, the council was trying to meet their obligations to sufficiently share information in a timely manner. Let’s take a look at Kensington and Chelsea Council’s (KCC) recent prosecution for inadvertently sharing 943 names and addresses of people who owned vacant homes in the borough. 

The issue arose when the information being shared was done so in Excel, using a pivot table, which revealed the sensitive details when double clicking on a cell. Council staff thought that hiding the cells was sufficient to protect personal information from being accessed. Excel is an amazing piece of technology, but it can easily get businesses into trouble. 

A lack of training, along with using the wrong tools for the job, led to a data breach and fines of £120,000 for KCC. If this misguided attempt to comply had happened after 25^th May, the fines could have been significantly higher. Of course, that’s without even considering the potential impact on the people whose information was exposed, as well as other financial and reputational losses. 

Even well trained Excel users can come up short if using this technology to share anonymous data. GDPR requires that data is stored and processed securely, and Excel is a high-risk option for this. How can your business ensure you are compliant with legislation and have adequate security measures in place? Have you even considered the requirements of the GDPR yet? 

So, what’s the right way? 

Protecting your business is clearly crucial, and technology can play a huge part in this. As many of Ventiv’s clients are data controllers and process personally identifiable data (PID) from European citizens, we have introduced a dedicated software solution that has been specifically designed with data protection in mind. 

Our Data Governance module allows businesses to securely process data, introduce better practices for auditing, and respond to access requests from data subjects. This is achieved through several options: 

1. Anonymisation of records
2. Setting retention periods on records
3. Identifying, tagging and locking personal data
4. Deleting records

Our RiskConsole Advance clients who have opted to activate these additional capabilities say that the added protection is a fundamental part of their GDPR compliance process. Extracting and sharing data using these capabilities strips out identifiable data and records an audit trail—which could have saved KCC (and the people whose data was shared) a lot of grief.

Only time will tell how effective new GDPR legislation will be in protecting our personal data, and how severely organisations will be reprimanded for failure to comply. My gut says that it will take a few prosecutions before all businesses take it seriously. The task for your business now is to implement solid processes and be prepared to show evidence of how robust these procedures are.

 Jamie McDonnell is UK Territory Manager with Ventiv Technology, based in London. Email Jamie at jamie.mcdonnell@ventivtech.com. Connect with Jamie on LinkedIn.