Mind of My Own (MOMO) makes award winning apps that support young people to express their views. It’s been used in social care settings and schools across the world and is a great example of the principle Think about privacy and security.
Given the nature of the data they handle, the team behind MOMO were strong advocates for data protection from the start. For example, they registered with the ICO and ensured they were compliant with data protection guidelines.
Despite this, when selling the service to local authorities they found themselves continuously answering long lists of questions around the security of the data. This was proving to be a big barrier to their growth, so the team decided to take their data security to the next level, by becoming compliant with ISO27001. This was a huge commitment. At that time they had just three in the core team and only one person was full time.
The team learnt some key lessons during the process. For example, that while there is a technology component to having robust privacy and security, it’s actually much more about the whole organisation’s principles, processes and culture. For that reason they chose to have a Director leading the process, who took charge of accountability and oversight across the whole organisation. But even with a highly experienced person leading the work, there were still challenges. It’s easy for Information Security to just fall to one person rather than being spread across the team. Equally it can be challenging for that person to balance the different organisational priorities of growth alongside the commitments to information security.
Building on their lessons, the team have built on their learning and continue to be a leading example of maintaining privacy and security. An important part of their success is how they’ve embedded privacy and security processes into the whole team. Each month the information security lead meets with individual members of staff and selects an aspect of information security that matches the team member’s skills and interests. Together they assess the risks or opportunities of this area.
The information security lead was worried the team would find it boring, but in reality they found it interesting and empowering. It’s turned privacy and security from being something unknown into a functioning part of the organisation. The team now bring up areas they want to address, rather than it being just one person’s job.
This theme of collaboration also extends to the way MOMO have managed the technical side of the ISO27001 compliance. They’ve developed a strong collaborative process with their technology partner Neontribe’s own security expert. Both Information Security leads have a weekly catch-up call which enables them to rapidly deal with any issues that are raised week to week.
While it’s been a lot of work, the impact of improving their Information Security has been huge. It’s helped enormously with the pace and progress of their sales of the service because the public sector organisations they work with instantly know their needs around security are being met by MOMO’s strong processes. Equally the team have found that their knowledge and experience in this area has had helped reassure frontline workers using the app.
Clearly ISO27001 compliance is not appropriate for everyone, but the MOMO team have shown how privacy and security can be embedded in an organisation, no matter how big or small.