What is Defensibility?
If you’ve had the dubious pleasure of attending any of my presentations over the past few years, you may very well have noted the emphasis I place on defensibility.
But what is it, and why does it matter so much?
Generally, defensibility refers to simply being able to defend a decision based on process and/or evidence.
That seems trivial enough. But a useful way to think about it, is that in the event of a mishap, such as a data breach as a result of an incorrectly redacted SAR disclosure, the director in charge of compliance may find themselves in front of a judge, having to answer the question: “On what basis did you feel it was appropriate to disclose the individual’s personal data?”. At this point that director needs to have a very good answer, particularly as directors are (in the UK at least) criminally liable in the event of a breach.
Now, the reality is that mistakes happen. Accidentally neglecting to redact a piece of information is excusable, as long as it’s a good-faith mistake in an otherwise solid process with proper evidence and documentation. Nobody is perfect, no process is perfect, no technology is perfect.
Simply not taking any measures to do the job is a worst case scenario. However, doing the job without any defensibility framework in place is almost as bad, as it leaves you exposed to question to which you may have no answers, and no evidence to back up your answers.
That’s why, when dealing with compliance matters, just like in legal matters, it’s so important to have solid, well-defined and documented processes in place with properly preserved evidence and audit trails.