Applications > Business Applications

Spreadsheets: the Achilles' heel of GDPR compliance efforts

Published 03 November 2017

Andrew Beverley, founder and managing director of Ctrl O, warns that corporate and public sector GDPR compliance plans could be derailed by spreadsheet over-reliance


By now, few serious organisations can be unaware of the impending GDPR, or the General Data Protection Regulation, which comes in to force on May 25 next year. 

In fact, most will have already started making at least some provision for more responsible and transparent data management, with cleaner lists and tighter management controls.  But what about where that data is housed?  For many organisations this means one thing – spreadsheets.

The fact is, spreadsheets are an inadequate repository for personal data in a GDPR compliant organisation, as they provide a poor audit trail, access controls and versioning. Anyone can download, email, copy and modify spreadsheets without record, which post-GDPR is simply an accident waiting to happen.

In 2015 the Daily Telegraph ran a story on the dangers of errors in spreadsheets, warning that it could lead to the next major Enron-style corporate disaster.  The piece highlighted a number of high profile and costly catastrophes, including the spreadsheet error on West Coast Mainline bid that cost the UK taxpayer £60m and the instance when a similar slip caused problems for JP Morgan's Chief Investment Office .

Since then, it seems, very little has changed.  In our experience, organisations are still misusing spreadsheets and continuing to ignore the warning signs.

This is not to argue that spreadsheets are inherently flawed.  On the contrary, they are an excellent tool for analysis by an individuals and small teams who know what they’re doing, understand the data and are likely to recognise unlikely outcomes or anomalies.  The problems occur when large volumes of data, collected over time and distributed between many people who are all inputting information, are managed this way.  Even more so when decisions are being made based on that accumulated data.  Add to this, the need to comply with stringent new rules on managing personal data, and it isn’t hard to see the danger for large organisations.

Often, users turn to the spreadsheet because it’s a tool they’re familiar with, to counter inadequate standardised systems that have been introduced by the organisation.  For example; when standardised systems don’t provide the calculations that are needed, or they don’t accept data input in the format that users encounter in reality, or they don’t give timely results, and so on.

These user-created work-arounds are known as ‘shadow systems’.  The problem with them is that they are almost never created professionally, and this makes errors inevitable. When programmers develop solutions to be used by large groups they perform rigorous tests and inspections to counterbalance the human error factor and to ensure they’re robust.

This is particularly pertinent for organisations dealing with sensitive data on a daily basis, especially those in the public sector.  When Ctrl O first began working with the MoD, for example, the Ministry’s operational information and finances of its global defence engagements were kept in numerous spreadsheets.  This lead to poor data integrity and limited ‘version control’ due to a lack of simultaneous editing capabilities.  This weakness was compounded over time by a lack of visibility and control over changes made.

By introducing our Linkspace software, the MoD was able to manage and securely share that data, as well as coordinate projects, tasks and records across many sites and 600 users around the world. Crucially they could also create csv downloads and uploads of data, which meant they could continue to work in a way familiar to them, without compromising the integrity of the data. 

By identifying and dealing with these data silos, other organisations can begin the process of digital transformation and, hopefully, avoid some of the headaches currently being associated with the new GDPR regulations.

For those relying on spreadsheets, however, small errors can quickly become big problems.  Here are some key signs of ‘spreadsheet over-stretch’ to watch out for:

  • Multiple, dispersed points of data entry – communication, understanding and breaks in continuity are all exacerbated by geographical dispersion;
  • Data entry culture – if the members of staff entering the data don’t own the outcome, a lack of understanding will ensue; this is amplified when staff change and ‘hand-over’ can be superficial;
  • Formulae and macros – where data is being captured for consolidation elsewhere and formulas sit in the sheet, in time, something will be copied, moved, overwritten, edited – or similar;
  • Unclear version control – unless everyone using the up-to-date sheet, errors are bound to occur.

Each of the above is a high-risk indicator. If you have important data being captured in a system of spreadsheets that has one of those characteristics, ensure you have controls in place to mitigate the risk. Better still, create a secure, flexible repository for personal data, which is simple to use and recognises that different people use the data in different ways.  Ideally, there will also be an audit trail of everything, combined with access controls and permissions to safeguard data integrity.

When GDPR comes into force next year, it is likely that operational teams are going to be responsible for making their own systems compliant, as they are the people who understand and 'own' the outcomes.  For those with simple safeguards in place that is going to be a far less daunting prospect.

Andrew Beverley is founder and managing director of Ctrl O


We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.