Our client asked us to user access rights to systems and data based on their role as this potentially gave rise to the risk that their access levels may not be appropriate.
Potential issues included exceeding GDPR rights and principles, either on joining or where their circumstances change (i.e., moving to a new role within the organisation). Similarly, departing staff also represented a risk where they may retain access rights to systems/data after they have left if the leaver process is not actioned promptly.
We tested the organisational systems and controls for this area by mapping ‘user journeys’ and performing ‘walkthrough’ work to ensure that the appropriate rights and access levels were being managed. This gave a more holistic view of what people experience when delivering services and helped managers gain insights on how their service fits into the big picture. Our work achieved the following outcomes:
- Awareness: of the steps, outcomes and experiences of users and service providers. It provided the opportunity for them to appreciate the implications of their work on the wider community of users and stakeholders and to take ownership of these areas.
- Aligned understanding: it created a conversation and a shared model and terminology. Greater understanding being the foundation for key staff within the user process journey to appreciate their own performance and accountabilities.
- Seeing the big picture: a journey map helped staff step back from the detail and see the bigger picture, where the work of individual stages and staff fit in, and where assumptions about the majority of users might be wrong.
- Uncovering weaknesses, blind spots and opportunities: the map provided a structured and comprehensive overview of which user needs are already tackled, which ones are either underserved, or solved with other tools and touchpoints. Security weaknesses, i.e., where users’ access rights may not be appropriate or proportionate, etc. were also identified and addressed.