The EU’s General Data Protection Regulation (GDPR) comes into effect in May 2018. It introduces a new set of requirements for all organisations who manage and hold personal data about people located in the EU.
The clock is ticking, and as the deadline approaches we know that many organisations will struggle to meet that deadline. It would be a mistake for anyone now to think that the GDPR will not apply because of Brexit. Not only will the UK still be part of the EU when the GDPR comes into force, but it is clear that the UK will choose to adopt the GDPR post-Brexit via its new Data Protection Bill, and it will certainly apply to local government as much as to business.
Simply viewing the GDPR as just another administrative burden on business and government from the EU would be a missed opportunity. With the increasingly critical nature of information governance to protect reputation, privacy, and data assets, let alone to exploit the power of data to deliver better services, the GDPR should be welcomed by organisations, if it is handled correctly.
Organisations now process more personal information in more ways and citizens are increasingly worried about how their personal information is used and whether it is safe from identity theft. The GDPR has been designed to address these risks to privacy in the modern world, setting out what organisations need to do manage information risk and so to keep the confidence of the public.
Indeed, organisations that treat the GDPR as little more than a cost are likely to waste time and effort ‘ticking boxes’ to appease auditors, and will potentially miss the opportunity to create new business value through improved information management.
Anecdotal evidence suggests that whilst by now most councils recognise what the GDPR means for them, the challenge remains in how to prepare and how to develop improved and sustainable information governance and data management practices. This report focuses on helping local councils to prepare for the GDPR, providing a framework for suggested actions and on-going good practice. But if you are not well-advanced now in your preparations, planning and execution, you will struggle to achieve compliance in the time left.
The report has been updated several times over the last 18 months, as new guidance has emerged and as awareness grows. Those interested in the GDPR should seek out the material freely available on the internet, from law firms and in particular the excellent guidance provided by the Information Commissioner’s Office (ICO). Take care though, not all free GDPR guidance is sound.
What is the GDPR?
The General Data Protection Regulation (GDPR) aims to harmonise data protection laws across the EU. Currently, each country has its own rules and regulations, enacted in response to a 1995 Directive, which means that although the laws around the EU are all fundamentally similar, there are significant variations. It seeks to protect data about individuals in the EU , applying to any organisation in the world whether in the public or in private sectors, that offers goods and services, or monitors the behaviours of those in the EU,.
The UK Data Protection Act 1998 (DPA) provides a comprehensive framework for data processing, but from May 2018 the GDPR will go further than the 1998 DPA, enhancing citizens’ rights in knowing what data is held about them, and to have that data deleted (the ‘right to be forgotten’). It brings in greater transparency, accountability and governance requirements, such as introducing a new obligation to notify data breaches (within 72 hours of awareness).
Summarising some of those citizen rights:
• To have my explicit, informed and willing consent before my data is collected, unless another legal basis for collection exists
• To be forgotten and to have data held about me deleted on request
• To have errors in my data corrected
• To know that data about me will not be held longer than necessary
• To expect data about me to be held, shared and treated securely at all times
• To privacy, so that data is only used as intended, with limited processing
• To have my data given back to me, so I can use it or share it elsewhere if I want
• To opt out of direct marketing and not to be ‘profiled’
• To have information held about electronically transferred to a third party on my request
• To be request that most decisions about me are made by a human, not a machine.
The reality is that legitimate interests, legal requirements, and other grounds (that will be covered in the Data Protection Bill) will apply in some cases for data collection, though consent requirements have been tightened up. Equally, there are some preconditions that have to be met before data deletion is accepted when requested, so a data subject cannot require the deletion of any of their data – just data when certain circumstances apply.
The data protection measures that the UK Information Commissioner’s Office (ICO) has championed, such as privacy impact assessments (PIAs) and ‘privacy by design’, will become legal requirements under the GDPR for all organisations in many circumstances.
The DPA is now nearly 20 years old, and has, naturally, begun to show its age. The GDPR brings data protection up to date with more recent technology changes that impact privacy and protection. For example, for the first time, specific categories of personal data are defined as in scope: an IP address can fall within the definition of what is personal data, as can genetic and biometric information.
The GDPR, like the DPA, applies to structured sets of manual records which contain personal data, where information about individuals can be identified by specific criteria. But it also outlines specific requirements regarding data collection that were not in the DPA – for example, that personal data must be given freely, not as a condition of receiving services, and that consent to collect, store and use data must be explicit and informed, not implied.
Whilst the DPA allows citizens to make, for a fee, ‘subject access requests’ to see what data is held about them, the GDPR goes further in making this more specific, with a requirement to be able to have data extracted and sent in electronic format to the data subject, free of charge. So, we as individuals should all, in theory, be more in control of our data under the GDPR, with the ability to do such things as deciding if we want our data to be shared between service providers.
This is particularly important given growing public concerns about the connections made between apparently anonymised personal data and pseudonymised personal data, whether in areas such as retail or health services.
For local authorities there are many challenges in implementing GDPR, because of the numerous systems and the volume, complexity and variation on the range of personal data they need to hold. Shared services, devolution, and advancement in technologies that capture personal data, all make GDPR compliance especially complex.
At the same time, the connections that public services can make between different data sets can benefit us all, not just in reducing costs by being more efficient, but in terms of providing better and more targeted services which reflect our needs and our preferences. Data linkages can also help councils to work together and with other public agencies to protect us better as individuals, families and communities.
As citizens, we all benefit from data being linked that allow public services to be better joined around our specific needs, such as when we need health care. As consumers, we are often prepared to give out our private data to receive more personalised services that reflect our preferences. However, these data connections which combine sets of private data can result in privacy risks.
The GDPR introduces more specific controls, definitions and checks to help avoid this digital opportunity leading to our personal data being exploited against our wishes. This will maintain trust in how data is used and stored, without which digital government will be at risk.
The real challenge for organisations lies in being able to show that they have the systems, controls and the records in place to comply, not just to be fortunate enough to avoid a data breach ‘by hook or by crook’. The new ‘accountability principle’ in the GDPR requires organisations to prove their compliance – for example, by undertaking staff training, audits, maintaining documentation on processing activities, and having appropriate and auditable information governance policies and processes in place.
From May 2018 councils can expect to receive many ‘Subject Access Requests’ (SARs) where citizens want to know what data is held about them. Poor preparation will make it hard to meet those requests efficiently. Ultimately however, failure to comply may be proven only if there is a serious data breach – but with the potential of fines being levied, let alone the impact on reputation, ignoring the GDPR would be a risky and expensive option for councils. Moreover, not fulfilling data subjects’ rights in the time allowed will attract a fine, and some people will exploit this where organisations are not ready and able to respond.
Will Brexit exempt the UK?
Some organisations were, until recently perhaps, not convinced the GDPR would apply after Brexit– after all, it’s an EU regulation and the UK is leaving the EU. We already have the DPA – what more is needed?
However, in January 2017 the ICO confirmed that GDPR will apply (see their website):
“The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. The ICO is committed to assisting businesses and public bodies to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. We acknowledge that there may still be questions about how the GDPR would apply in the UK on leaving the EU, but this should not distract from the important task of compliance with the GDPR.”
The Information Commissioner’s Office (ICO)
More recently in August 2017, Matt Hancock, Minister for the Department for Digital, Culture, Media and Sport issued a ‘Statement of Intent’ that confirmed that post-Brexit a new Data Protection Bill would be the legislative vehicle used to implement GDPR requirements into domestic law, stating:
“Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU. The EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) have been developed to allow people to be sure they are in control of their personal information while continuing to allow businesses to develop innovative digital services without the chilling effect of over-regulation. Implementation will be done in a way that as far as possible preserves the concepts of the Data Protection Act to ensure that the transition for all is as smooth as possible, while complying with the GDPR and DPLED in full.” (see here)
In any event, councils already hold an increasingly complex array of inter-linked data that requires care in dealing with personal data:
· Sharing services and functions, or processing data on behalf of one another
· Holding and processing data about vulnerable adults and children in particular
· Highly sensitive data which requires special care, such as the Child Protection Register
· Connecting datasets together for new insight across a range of public services, for policy planning and better service delivery
· Using data and information to target services, goods and early intervention, for reasons of improved efficiency, revenue collection or as new commercial opportunities emerge
· CRM (Customer Relationship Management) data to capture data about transactions and service use
· ERP systems holding personal data about employees of an increasingly sophisticated nature.
For all these reasons, it makes sense for councils to plan early for the GDPR and take a broad view of the range of information governance and management practices that they need to have in place. The GDPR is here in full, irrespective of Brexit, and citizens will not expect to be short-changed on privacy laws compared with other countries. It is better to understand its impact and plan for changes in internal information governance sooner, rather than to risk playing ‘catch up’ later.
“The [Data Protection] Bill will give people more control over their data and require more consent for its use, and will prepare Britain for Brexit”
Matt Hancock, Minister of State for Digital, August 2017
Isn’t it just good practice?
Councils already hold an array of data about people that will fall within the scope of GDPR: data about taxpayers, residents, voters, contractors, employees, service users, customers, contractors and more. The GDPR aside, there is a responsibility to look after personal data because public trust and expectations of their public services will require it. Without this, digital government is a non-starter and the future benefits of information insight for public benefit would be compromised.
The GDPR is designed for the digital world, where personal data is increasingly held electronically, with potentially significant new marketing, communications and public service improvement opportunities. Councils are moving ahead quickly in adopting digital methods of working, with growing numbers of systems designed for automated self-service and making logical connections across related services for their citizens.
The same is true for data held about council employees. Councils hold and process personal data in systems to increase employee empowerment, mobility and career opportunities, such as in HR systems, access and role-based security, payroll and many other related areas offering employee benefits that depend on personal data being held and processed. Digital methods offer huge potential value, if managed carefully.
For this to be successful, everyone must trust how councils use and hold personal data – that it is secure and used responsibly, with transparency for the data owners. Without that trust, citizens are much less likely to agree to share their personal data or to choose to transact electronically. This would be disastrous for councils now relying on digital delivery to help meet growing demands for services whilst at the same time finding unprecedented efficiencies because of cuts.
Take, for example, the plans to digitise care records. If we, as citizens, do not believe those health systems that hold our records are secure, that our data is kept up to date, shared appropriately and safely, and that we can find out who holds what data about us, then the plans to digitise health services just won’t work. The well-intentioned but poorly executed Care.Data programme is a good example of a failure of trust from citizens and practitioners alike that results in huge set-backs to digital public services. It is not just ‘good practice’, it is fast becoming a necessity.
With the growing importance of using personal data, and the risks associated with it, the ICO is working ever more closely with regulators in other countries to protect UK citizens and our economic interests. The UK digital economy will depend on it, and so will the security of UK digital citizens increasingly at risk from international fraud and cybercrime – the GDPR is now not just about privacy and citizen rights regarding their data, it is also about protecting UK interests.
In November 2016, Computing magazine investigated the priorities for business leaders regarding data security.3 For large organisations with more than 500 staff, the GDPR was top of the list. For smaller organisations, disaster recovery and user awareness of security were higher concerns. That pattern is likely to be the same for local government.
This means that the GDPR has to be viewed in a broader way to encompass IT architectures, policies, working practices and business continuity as well as being able to respond to subject access requests by knowing what personal data is being held, where and for what purpose.
Larger councils, such as county councils and unitary councils, will find the GDPR particularly challenging, because citizen data will be spread over many systems and departments. Unlike most private sector businesses and even Whitehall departments, larger councils run huge numbers of different services (up to 700, according to the LGA), each with perhaps more than one system holding some personal data. Although current law would require them to find this data, the increased fines in the GDPR and more stringent requirements in defining personal data and how it is used, increase this risk and the challenge.
The wide-ranging implications of the GDPR on processes, systems and IT support means that it is a non-trivial challenge to comply for all but the very smallest and simplest organisations (and even small district councils are complex by their nature). For example, lots of redundant data, poor quality data, or simply not knowing where data is located, may mean personal data is held but not easily identifiable. The proliferation of digital records held across multiple systems, located in the cloud or ‘on premise’, is the situation for most organisations.
Identifying, extracting or erasing all data about someone on request is a complex task, and so the GDPR compliance requires rigour in information management practice. Any council that suffers a serious data breach and cannot subsequently demonstrate that it had taken sufficient steps to avoid being found negligent, will be liable to significant fines, and the reputational damage is likely to be at least as serious. Failure to comply with the right to be forgotten causes the same problems and risks.
How to prepare for the GDPR
There are some key areas for councils to consider in preparing for the GDPR (and plenty of online guides to help with the detail):
1. Firstly, if you are processing data, the GDPR requires you to maintain records of how you process personal data. If you are a data controller (i.e. you specify how data is processed, say to a partner, supplier or outsourcer), then you must ensure every contract you have with a data processor complies with the GDPR. You also need to be certain that in circumstances where consent is required, you can demonstrate that you have explicit, informed and willingly-given consent for all personal data capture and in how it is used. This includes being clear where councils don’t need consent if data is collected for a statutory obligation.
2. Secondly, you need to have clear responsibilities in place for data owners – responsibility for knowing where data is physically located, for maintaining quality and for its lifecycle management. All councils should have a senior information risk officer (SIRO), ensuring board level accountability and understanding of information risk. Responsibility should also extend to employees – everyone has a duty of care when it comes to information, and that should be clear in HR policies as well as in training plans and job descriptions.
3. Thirdly, councils should review and update their information management policies and practices. This includes specific aspects, such as breach notification processes, as well as general good practice, such as data handling and sharing, security and privacy controls, use of open data, maintaining data quality, common formats for data types, ‘capture once, use many times’, and so forth. A simple set of information management principles covering these areas, agreed with the board or council management team, and administered across the council (which, indeed, should already be a feature of any council’s compliance regime) can reduce costs and risks around GDPR compliance as well as ensure awareness across the business.
4. Lastly, good information management tools are needed to avoid unnecessary manual overheads. The IT team should ensure that there are systems in place, with as much automation as possible, for reporting and tracking, securing transmissions and data sharing. This includes tools such as security access, encryption, data interrogation, identity management, tracking consent, dealing with subject access requests, locating personal data, consistency in data formatting, data matching, implementing role-based security profiles, data testing, firewalls, intrusion alert, reporting, open APIs, and more.
The challenge is to create a consistent and holistic platform for information integrity and protection rather than a random patchwork of tools. This will also allow services such as cloud to be used where appropriate,
with confidence that data controls are not being broken. Some of this lies within the IT department, but there are also tools needed by professionals in council departments, and for specialists in areas such as the legal services team.
Documenting consent is not always easy, and specific systems may be needed to help – such as allowing citizens and employees to submit and update their consent for the data held about them with self-service systems. Whatever methods are used, it is essential that it can be shown that there was not coercion – that personal data is given freely for a pre-determined purpose.
“To read our privacy and data use policies click here” is not adequate under GDPR, neither are pre-ticked consent forms. Consent must be informed, clearly defined and willingly given. This applies to employees too, where increasingly a range of personal data is held, such as links from HR systems to personal health and fitness data on wearable devices.
A structured approach will not only help with GDPR compliance, but also ensure good and sustainable information management practice in any organisation. It reduces business risk, whilst also increasing employee productivity and efficiency by giving information access securely to those who need it, when and where they need it. That, in turn, improves decision-making, customer service and business agility.
The challenge, then, for those officers in councils tasked with information and GDPR compliance is to persuade the executive board and councillors of the priority, in order to justify the necessary resources and commitment in order to fulfil the responsibility. This is a joint responsibility, and CIOs/IT Leaders should work closely with service heads, the SIRO and the Data Protection Office in particular.
All councils are required by the GDPR to have an appropriately trained Data Protection Officer, and they should have a specific responsibility of ensuring overall compliance. But the DPO will need help, especially in selling the value of information management and GDPR compliance as a business benefit, not as an unavoidable regulatory and statutory compliance issue, with the threat of potential fines.
Who is responsible?
Many councils are not clear about who is responsible for information. The CIO, IT, legal services, SIRO, system owners, specific departmental directors and data protection officers, amongst others, all have a role. In some councils, there is also a privacy officer, or internal auditor given specific responsibility for advising on information compliance.
Councils with social services departments and health organisations in England will also have appointed a ‘Caldicott Guardian’, a senior person responsible for protecting the confidentiality of information relating to patient and social care service users, including enabling appropriate information sharing.
In the private sector, there is a growing trend to appoint a chief data officer at board level to oversee the function, but this is still uncommon in local government.
Trying to simplify this picture is helpful in ensuring clear accountability, but there will in practice be many people involved in good information governance, so listing the responsibilities in one pace is helpful.
Under the GDPR, all public authorities and bodies processing sensitive data on a large scale must appoint a data protection officer (DPO). Such an appointment can be shared where, for example, local public services are already in shared service arrangements. The DPO role is to oversee GDPR compliance and to act as a contact point for employees and citizens. The DPO is expected to report to a board level individual, yet operate with a degree of independence and autonomy. As such, the role is broader than the DPO function that already exists in councils today, and probably more senior.
In some councils, the DPO role has been allocated to the CIO (after all, that means chief information officer), or head of IT or the Chief Digital Officer (CDO). This is not good practice unless the CIO has a very broad data remit, sitting at Board level and leading on information governance across the organisation and has the expert knowledge that the GDPR requires the post holder to have. In appointing a DPO, councils must ensure that there is no conflict of interest, and IT is just one component of the GDPR.
Moreover, The DPO must be independent from the data controller and not be responsible for the determination of the purposes and means of processing personal information. The guidance states that the role would probably with align with a number of senior management positions including Audit, Legal, HR, IT and others, but that it should be distinct.
In whatever way that a council approaches this, two requirements are key:
· Someone at board level should be responsible for information – as a risk and an asset, setting policy, practice and good data/information use and awareness.
· Someone in IT is responsible for ensuring systems, technologies, data handling tools and security practices comply with agreed information policies.
These should not be the same person, unless perhaps the CIO is a board level role with a much wider responsibility than IT leadership. Typically, a SIRO can fulfil the first role, working with the DPO – both of whom should be appointed. Typically, a CIO can fulfil the second.
Other areas in councils also have an interest and responsibilities: Marketing and Communications, HR, Finance, Audit, Legal, and the CEO. All these professional areas need to be aware and actively working together to ensure compliance. Setting a single budget and a plan for securing GDPR compliance is a good place to start to ensure this integration and collaboration occurs without blurring responsibilities, but it also requires on-going investment to sustain that compliance and to maximise information value whilst managing information risks.
What should CIOs do?
Council CIOs are already heavily engaged in transformation programmes, modernising their IT estates and cutting costs in IT and across the business. But it would be a mistake for a council CIO to downgrade the priority of the GDPR in the face of this barrage of work, given the growing importance for councils of good information governance, protection of data and the need to ensure privacy for all personal data.
In fact, GDPR compliance and a greater priority placed on consistent and improved information governance across a council will make the CIO’s job easier, with its focus on better security, improved data management awareness and ownership. It is even arguable that the future of the CIO role lies more in ‘data’ than in ‘IT’.
There are some basic things CIOs can do specifically to help the council get ready:
· Know where system data resides. Ensure systems owners are aware of data assets and their responsibilities for that data – its quality and its use. Provide tools to assist with master data management (MDM) and data cleansing, to improve data quality and awareness, exposing what data is being stored, where it is stored, how it is being used and for how long it needs to be kept.
· Ensure policies exist and can be enacted in practice, for data retention and deletion. Storing everything forever may be affordable, but is already illegal in relation to personal data, and represents a growing liability. IT needs to provide the tools for information risk management, even if IT is not directly responsible for the risk itself.
· Help the executive board and non-IT leaders to understand how to manage information risk – quantification, monitoring and mitigation. Having a coherent information architecture, agreed processes for data handling and a set of information management principles can reduce risk, and the CIO can lead on these.
· Support data mapping activities – not just being able to pinpoint where data resides, but, for example, data in transit, data linkages across applications, and data flows which involve data sharing. Under the GDPR, if inaccurate data is shared, there is a responsibility on those sharing to alert the other organisation to the error.
HR policies should ensure that employee responsibility regarding data use and handling is clear and taken seriously and sanctions exist for poor habits. HR can also assist by providing training and mentoring support. Employees are also data subjects and have rights in terms of the information that their organisation holds about them. IT can help HR colleagues in councils to prepare for the GDPR by providing tools and in ensuring HR systems are capable of compliance.
Unless there has already been a serious data breach or ‘near miss’, then simply asking the council for new money to comply with a new EU regulation is perhaps not the best approach. The reaction is likely to be “what is the minimum we need to do to be seen to be compliant?“. It might be tempting to adjust policies but not to also change working practices. Some councils may already be doing the minimum in the hope that this will be sufficient.
However, the potential GDPR fines are set at a level designed to ensure that organisations do not simply weigh up the costs of compliance against the amount of the fine. Nonetheless, the threat of fines may not be enough to make some boards invest to ensure compliance, including buying in outside help and updating or replacing systems where this is required, and in any event a ‘threat of the consequences’ is not the best policy to persuade a Board to invest in any circumstance.
Therefore, to maximise the chances of success in securing corporate support, it is important to turn this into an opportunity to promote the benefits of strong and effective information governance, which delivers GDPR compliance as a bonus. After all, good information management practice is often patchy in councils, so focusing on sensitive areas where data is held about children or vulnerable people, and perhaps where there are known weaknesses and risks in individual departmental systems holding personal data can be helpful in focussing minds.
Building a business case
Despite the potential to increase information value and to reduce unnecessary data management risks and overheads, there is still inevitably a cost to GDPR compliance. For councils already facing enormous cuts and a need to reduce or to remove overheads, making the case for a programme to secure GDPR compliance is not easy, and should be based on the benefits as much as the risks.
A council business case for investing in GDPR readiness should fall into three parts:
· Building on ‘business as usual’ – the existing good information and data management practices (hopefully already in place) and getting better value from existing information assets and projects,– managing risks and opportunities and being more streamlined and consistent in information activities. In other words, ‘doing a bit more of what we do already’, to align with the GDPR and address obvious short-comings.
· Building awareness across the council – defining how the GDPR can help to meet citizen expectations regarding their data, where the risks lie and how to manage them better, as well as the penalties and downstream costs of a failure to comply. This awareness will help to understand why the GDPR matters, balancing the benefits against the risk of non-compliance and a potential for fines.
· Undertaking a gap analysis – establishing where the main weaknesses lie in current policy and practice and how these can be addressed, prioritising the aspects which have the greatest risk, benefit or urgency. This should connect the first two items (‘where we are today’ and ‘what the GDPR means for us’), so that the board can understand the GDPR in the context of business ambitions.
In other words:
Investing appropriately in improved information governance will pay off by enabling councils to deliver better services, more efficiently and flexibly. It will also avoid the risks, reputational damage and potential fines from not complying with the GDPR.
All councils vary and have differences, and therefore need their own individual plans to meet the requirements of the GDPR in time for its adoption in 2018. But it is essential to have a plan, effectively resourced, based on the actions that the councils will need to take given their starting position. Concentrate in particular on ‘consent’ and undertaking the necessary privacy impact assessments (PIAs) on systems data risks. There is plenty of guidance is available from the ICO web pages.
Here is a suggested checklist of some of the main things to assist in that planning, covering policy, practice, governance and technology actions. It is provided to assist DPOs (or whoever is leading on GDPR compliance) to build their own coherent plan of action:
Put in place a structured plan, and get it resourced – Easier said than done! This means you need to sell the positives as well as the ‘threats’, and it needs buy-in at Board level. Get some support to do this – in Finance, the DPO, Legal, etc., and focus on ‘better outcomes’ – ‘grip’, improved practice, reduced risk, lower costs.
Establish policies and principles for good IM – For example, Data Protection by Default (DPbD), Privacy by Design (PbD), Privacy Notice, PIAs etc. But describe HOW this will work in practice – e.g. in systems acquisition and deployment. Make it REAL and PRACTICAL and TESTED. Look also at your HR policies and specialist areas such as social care.
Make a full list of procedures you need and prioritise these – There are many, and a list will help to define the priority and the need for investment, suitably targeted – IT procurement, testing, consent, breach notification, data handling, identification of personal data, dealing with SARs, audit, etc. Make sure in particular that you can prove ‘consent’.
Work on the IT Tools you may need – Some of these may exist already, but there could be gaps or out-dated tools: e.g. data matching, data cleansing, data discovery, security, intrusion detection and monitoring, data consolidation and anonymisation. Consent self-service is best practice. Try and get common formatting for personal data.
Establishing roles and responsibilities – Not just the DPO, but also the CIO, all staff, the Board, Legal, Audit, service heads, systems owners, suppliers, the SIRO, HR leads, specific IT roles, etc – It’s important to be clear who is responsible and the reporting lines, and that this is agreed (each organisation will be different). You may need to carry out checks on suppliers.
Raise awareness and train where needed – With a DPO appointed, this should be part of their role. Your choice of ways of communicating and developing cross-organisational skills should become ‘Business as Usual’ not something just for GDPR.
Undertake PIAs, focussing on higher risk areas – Assuming you know where your data is (especially personal data), you can begin to concentrate on the higher risk areas – poor data quality, data relating to children or vulnerable adults, very sensitive data. Make sure you keep detailed records, and make this an on-going action plan. You may need an audit of legacy data.
Here is a suggested checklist of some of the main things to assist in that planning, covering policy, practice, governance and technology actions. It is provided to assist DPOs (or whoever is leading on GDPR compliance) to build their own coherent plan of action:
This check list can also be used as a gap and risk analysis – where are the largest ‘gaps’ with current practice and compliance, and which of these gaps represent the greatest risks, and therefore the priority for intervention?
Councils have already faced much change over the last decade. Budget cuts have forced some services to be stopped entirely, whilst others have been redesigned and streamlined. Part of these changes have been helped by moving to digital operating models, creating new public-private partnerships and by adopting shared services.
The focus has been mostly on process simplification and automation, reducing overheads as a result and streamlining. Information management is now the key to achieving wider service improvement and efficiency:
· To reduce risk and increase value
· To improve services and to target resources, reducing corporate overheads still further
· To put employees, suppliers, citizens, politicians and ultimately the whole organisation in more control
· To understand and exploit data assets better, for analytics, customer insight and performance management
· To upskill staff for the future which will be data-driven
· To move IT from ‘tech’ and ‘process automation’ to ‘information mining’
· To sharpen and standardise contracts, esp. cloud services
· To communicate, connect and collaborate better – with the public, suppliers and employees
· To safeguard and protect resources and people, so increasing the trust in public services
· To improve and integrate cyber resilience, security and privacy practices – a growing threat to all organisations.
Good information management practice helps to ensure that council staff have the data and tools they need to be more productive and effective in their jobs. It also improves democratic accountability and transparency, as well as giving citizens easier access to joined-up digital services which they can use with confidence, security and privacy.
Information disciplines are also now essential for the adoption of new technologies and digital methods – such as cloud, social media, apps, channel shift and more; indeed, it is mostly the fear over data access, control, security, location and management that explains low cloud adoption by councils.
Poor information practice also carries a variety of risks for all organisations, from data misuse, reputational damage, or risks to vulnerable people using services. Addressing the challenge of the GDPR should be a way of sharpening information practices in councils, making it a ‘business opportunity’, rather than just another government regulatory overhead.
Indeed, in the future it is quite likely that some form of kite-marked data management competency will be a requirement of public services holding and using identifiable citizen data – this could be GDPR compliance or ISO information management accreditation.
Finally, councils should assume that the GDPR will apply to them and both the government and the ICO says the GDPR will be enacted into UK law after Brexit. Councils are unlikely to be exempt in any case.
Therefore, action is essential in the last few months before GDPR comes into force, with a clear case made for GDPR compliance now and in the future, to improve information governance as a business need, not just to secure compliance and so avoid the risk of a fine.