25 Oct General Data Protection Regulation (GDPR) and Spreadsheets
One of the main concerns about the GDPR is the requirement for businesses outside the EU to comply with EU law about protecting personal data. One of the aspects is that businesses need not notify customers of a breach if the data is encrypted. But what if the company has an unsophisticated view of the encryption method they use? In Excel, people hide rows, columns or sheets, or change a font colour to white, thinking that makes the data invisible. That is, however, easily reversed. On the other hand, file open encryption is reasonably secure in Excel.
These points are covered in the Spreadsheet Safe syllabus. Users may delete data sheets on which pivot tables are based, and then publish the spreadsheet with the table showing an anonymous summary. But the end-users may not realise that a simple double-click on a pivot table cell creates a new sheet from the pivot cache with all the detail records behind that cell. Certainly not everyone uses Pivot tables. Far from it, but this fact is included in UK Information Commissioner Office (ICO) guidance, which has fined public bodies which disclosed data in this way.
In May 2016, they fined Blackpool Teaching Hospital Trust for posting private details of over 6,000 of its staff members on its website.
There are many other stories of data leakage from spreadsheets:
In June 2017 it was reported that 1.1 terabytes of personal details of nearly 200 million US citizens were exposed. The information was stored in spreadsheets uploaded to a publicly accessible Amazon cloud server owned by Deep Root Analytics.
In September 2017 AIB apologised for losing personal information relating to over 500 of its customers in the west of Ireland. Printed material containing names, loan and deposit balances, as well as account turnover and annual fees which had been collated on a spreadsheet, was lost by a staff member on August 31 while travelling between two branches for an internal meeting which was organised to discuss a general review of branch portfolios. The bank has reported the matter to the Office of the Data Protection Commissioner.
In October 2017, West Sussex Council found they had left personal details of around 1,400 disabled people, foster parents and carers won their website on an Excel spreadsheet for seven years. The Information Commissioner’s Office has been informed.