Data Changemakers 13: Adrian McGarry, Director of IT, Licensed Trade Charity and Elvian
The Data Changemakers series is a set of interviews and interactions with people who have spent their careers working in or around data and data management initiatives. They have a vision for the data journey and we want to understand what they have learnt and how that drives what they do today. What are their war stories and what advice can they give others embarking on the journey?
Adrian McGarry is the Director of ICT at the Licensed Trade Charity (LTC), the Licensed Victuallers’ Schools and Elvian Ltd. He is also been a Data Protection Officer for over 20 years and is the lead on the GDPR project for LTC and Elvian Ltd. His role includes directing, managing and implementing systems and services to all parts of the organisation, providing centralised information systems including: I.T., audio visual, communication and security systems, to charity staff, office administration staff, teachers and pupils alike.
Please describe a little about your own background and how you ended up working with data?
I have always been involved with data and IT. I started in banking working with scanning bureaux and related technologies and then moved to a software house working on forms recognition and OCR/ICR technologies. I worked at EDO Limited which came out of Cardiff Software UK. We built that business to around £2million worth of support contracts and it was subsequently sold to another company.
“About six weeks later I joined LTC which I thought would be a very different environment. It was a very volatile time in the IT marketplace and I was looking for some stability – I certainly found it as I’ve been here for more than 17 years!”
Would you say that you are a business person or a technical person or something else?
I am definitely a business person with a solid technical background. My technical qualifications are now outweighed by my management experience and business acumen. However I still have many day-to-day technical duties.
How important is technical knowledge when managing others in technical roles?
“I am a great believer in being able to undertake the roles of your team members, if needed, to an extent. But there should be no “Jack-of-all-trades” in the IT sector – you need specialists”.
Similar to other trades, you would not get a plumber to perform an electrician’s job, likewise you would not get an e-learning developer to perform a server administrator’s role. It helps to be able to step in occasionally but mostly having a level of technical knowledge is great for mentoring your team members.
What is your current role and its main responsibilities as they relate to data?
“My responsibilities in relation to data are to ensure information is always on the agenda. Be it how information is entering the business or how it flows through the organisation”.
I am also responsible for strategy across the organisation. This is partly a factor of my senior IT role but also my length of service in that I understand the breadth and complexity of our organisation. As Director of ICT I feel that understanding the breadth of what can be done adds an extra string to our bow in terms of strategic direction and growth of the business.
What has been the most challenging data-related project you have worked on and why? What was your role in it and was the project a success and why?
That has got to be data protection as a whole. About 8-9 years ago we started to sink our teeth into preparing all parts of the business for improved data protection awareness. Our business is very varied (in terms of business operations and stakeholders) so it was really about enabling all of those users to understand what data protection is.
“We needed to convince them that data protection is about good practice not just boring laws and we had to come up with innovative ways to convey this to the stakeholders.”
We took a number of different approaches to this:
- Simple things like stickers to remind people to lock their computers.
- Complex items like producing an educational video. The staff needed to be made aware of scenarios where data protection failings might happen. We took advice from leading Information Security professionals on what to include and built a story-board for a professional mini-film.
- Development of a number of e-learning materials to train all of our stakeholders on the law and how to practically apply it. [These are a range called InfoReady and are commercially available through our company Elvian]
The implementation and roll-out of all of these things are a continuing success. We are always reviewing what we have produced and refreshing it so that we keep it up to date on a regular basis.
What did you learn from the experience?
I very much learned about the importance of effective marketing and keeping things simple.
“Data protection is not about delivering a technical solution. You need to communicate in a very different way and convey that it is primarily about people and process not technology.”
One exercise we did that was very effective was to bring all of our staff together for a one-hour session on data protection. There was a general ‘lack of excitement’ about the idea to start with but this was turned around by what we asked them to do.
We created a “Red Team” exercise where the staff had to unpick the scenario we had presented to them on our video. This made them engage and think in a non-technical way about all of the possible risks and outcomes and consider their own daily activities from an alternative point of view.
What do you think are the key trends in data management today and how do you think it will change the way we all do business?
I think that regulation like GDPR is absolutely something that will impact everyone on a global basis. It still does not seem to be widely known that all countries around the world will have to do something about how they handle the data of EU citizens. In addition, education on the specific parts of the UK Data Protection Bill that is coming will be essential.
“In any organisation, its strength is in its people. Training your staff is critical because if they cause your next breach they could also be your greatest weakness.”
For me data management is all about security – technology, training or something else – it should all be thought about from the perspective of protecting your organisation. This includes Cloud, on-premise, IoT, Big Data, AI and automation.
What do you think the Public Sector can learn from the Private Sector and vice versa?
Having come from business in the private sector what surprised me most about the public sector was the lack of business acumen which is really needed to run any organisation. At LTC we are very lucky because we have a great team that is very aware and business-driven because of their backgrounds.
“Without business awareness two negative things can happen. Firstly you as an organisation can become very stale and introverted and secondly you would fall behind on the advances every organisation needs in areas like technology and certification.”
Charities and Education are heavily regulated but that is not necessarily also a business driver – it’s just a compliance exercise at times that has to be adhered to.
Then in return, I think the private sector can learn a lot from the public sector about the benefits of helping other people. That’s definitely not a financial initiative.
“Private companies of course have to be profitable but there are many lessons that can be learned and satisfaction to be gained in helping others. This can contribute to overall company success in many different tangible and non-tangible ways.”
How do you balance being both ICT Director and a Data Protection Officer?
One element is finding a balance in adopting new technology and assessing the impact of trying to implement it too early can be a challenge. This is because early adoption can be technically ‘bug-ridden’ and I am always thinking about how to protect the organisation.
For example if someone has produced a new product or is in the throes of producing one, there is usually not enough emphasis on protecting the data within it. Of course they go through Q&A testing but that is not necessarily aligned with protecting end-user data because that is not deemed to be profitable.
Some also believe these are conflicting roles, but you always have to maintain fairness, transparency, alongside a clear code of conduct.
“These days a team of Data Protection Officers that reports to the organisation’s board level is essential. Although not a primary role of any one person’s job function, it maintains scalability for dealing with the data protection and governance across any organisation and parity for ensuring conflict control.”
Rights are now very much switching to the end users and as that happens it gives more teeth to the regulatory authorities to impose greater fines. So technical firms are increasingly going to have to think about this.
What advice would you give to someone embarking on a large data-related project today?
As with any project, scope it well. Define what you think are your end-goals now but don’t be afraid to change them after you embark on the process if you need to.
Never lose sight of your responsibilities regarding the information, the security of it – regulation and compliance. But also think about how the data is used within your organisation. The biggest grey area in the current data protection laws is in the area of data usage on a day-to-day basis.
There is a lot of emphasis on the negative side of GDPR and the focus is on what would happen if there was a breach. Many vendors are promoting their products and services based on this.
“Over the last few years I have been to a variety of sessions from free ones to the expensive one-day seminars and some of them have taken a real ‘hell and damnation’ approach to GDPR. I think this is really bad for the data protection and information security industry as a whole.”
People go in worried about it and come out terrified! That is not a good way for any approach to business or to drive buy-in to any regulation.
Equally I have seen some very apathetic attitudes to it, ranging from “Oh I don’t need to do anything about it – I’ll wait and see what happens”, to “I know – just eliminate USB sticks”.
Where I enter the fray is somewhere between the two – something absolutely needs to be done but there has to be a balance.
“I think GDPR and regulation should be approached in a positive, educational way to encourage best practice in daily behaviours.”
What are you best known for or what do you like doing outside of your working life?
My family. I have a very supportive family including my extended family around the world. We enjoy each other’s company – even if it is just over social media. This is a real positive of technology – you can really close the divide and it enables you to keep up communication and that family feeling of sharing.
I have relatives across the UK, USA, Australia, Greece, Malaysia and other places as well as other countries. We are rarely able to meet up face to face and yet we are all aware of what is going on thanks to social media.
Describe yourself in 3 words
Caring, responsible and friendly.
If you would like more information about LTC’s GDPR readiness process then see our case study here.
If you would like to know more about Elvian’s range of training courses under the Be.Infoready brand please click here.