But they are not quick and they are not necessarily easy. This depends on how big they become and how much information you choose to put into it.
Information Assets are the lifeblood of any organisation, without information a business simply cannot run and thus it is vital that they are managed appropriately. The National Archives defines an information asset as “a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited efficiently. Information assets have recognisable and manageable value, risk, content and lifecycles.” – What’s more, an asset can be an actual thing such as; a filing cabinet, a network drive, a server or a singular piece of paper such as an invoice. Generally, singular pieces of paper are categorised into larger assets such as ‘XYX Invoices’ unless the singular invoice is part of a bigger process because an asset can also be a process. A process such as ‘Violent Patient Scheme’, the majority of this as an asset is made up of phone calls, emails, and feedback forms but without it, you may not have the ability to offer a service to a patient.
Information Asset Registers are usually found in an Excel spreadsheet, this is because they have quite a lot of information that needs to be entered per item and it’s the easiest layout possible. They can have hundreds to thousands of lines on them depending on how large and complex your organisation is. You cannot do it alone as a single member of staff, you will need assistance. Point to note though is that it’s okay to also not have many assets. People try to over complicate the information asset register at times for fear they’ve missed something but if you set your register up correctly and you undertake the audit thoroughly, you cannot go wrong. The easiest way to keep an information asset register up to date is for an IAO to hold a local copy that they constantly update or have it in a collaboration zone that it can be accessed regularly.
The governance of information asset registers (IAR) is usually by Information Asset Owners (IAO) who report into a committee headed up by the Senior Information Risk Owner (SIRO), other roles common to have on this committee are an Departmental Security Officer (DSO), Information Technology Security Officer (ITSO) and Department Records Officer (DRO). These are not full-time roles for most organisations, they tend to be a role undertaken by someone such as a Records Manager may well be the DRO. The DRO is the one who looks after the main IAR on behalf of the IAO but IAO’s may keep local copies of the IAR. This governance is brought down by having senior management buy-in. These roles are typically found in the public sector but there’s nothing to say that they couldn’t be used in other sectors – it’s about role definition, ensure that each area is covered and it’s about having a position with Information Management in which you can escalate it if something goes wrong.
So what do IAR’s do? They are a graceful way of controlling the information within any one organisation. IAR’s are a multifunctional spreadsheet covering both records management, data protection, freedom of information, information security and information risk. It covers topics such as; who owns it, which directorate it belongs in, what is its purpose, who to contact for an issue, what format it’s in, where is it located, how long its kept for, what’s the earliest record you have, does it contain personal data, does it contain special category data, if yes, what processing condition(s) are you using, when it was first created/implemented/ first started to be used, whether a DPIA has been undertaken and when, whether privacy by design was addressed and the outcome, is there a risk to the asset, is it published, who has access to it, when was it last requested under foi, does it contain any market sensitive information, is it legally privileged, does it hold any exemptions, and more.
So, are information asset registers useful for GDPR? Yes, because you can use it as a way to tease out your records of processing activities. You are also documenting your reasons for processing and the purpose of the records and also the retention period and the earliest document you have. By undertaking an IAR, you are also showing accountability for the information you hold. This means that it helps towards Article 5.1(a), (b), (d), (e), (f) and 5.2. along with helping to comply with Article 30. It doesn’t tick the list off because naturally at the end of the day if you’re filling it out and you notice that you’re using an information asset for a purpose it wasn’t intended for, then there are further actions to be considered. Moreover, if there hasn’t been a DPIA undertaken, and it needs one, you can start addressing it. What an information asset register does, is give you a fantastic dashboard and overview of all of your information assets and their status. This means you no longer have to keep it all in your head!
The only thing I can honestly suggest is that you don’t rush filling it out. If you feel yourself only adding one processing condition per hour that you’re sat working then that’s fine. Sometimes it’s really not easy but equally, you’re on your way to improving information management throughout your organisation just by starting.
If you need assistance on the creation of an IAR and providing training to IAOs or how to undertake an audit please contact me on firstname.lastname@example.org and I’d be happy to assist.