The MJ: Preparing the public sector for the GDPR Countdown

The media is littered with examples of severe data breaches in the public sector going back a decade or more. From insecure databases storing information about vulnerable people, to laptops and USB drives being left on trains, the incidences of breaches continue to climb.

In data reported on 19th September by the Information Commissioner’s Office (ICO) covering Q2 2017, at 63 incidents local government had the third highest incidence of reported data breaches, behind health (283) and ‘general business’ (80). The question is that if local authorities are already being fined in such large numbers on such a regular basis, how will they fare in the new world of GDPR from 25th May next year?

Unsurprisingly, given the now 22% budget reduction for local authorities since 2010, the strain of systemic underfunding is still all too apparent. Data protection compliant processes have never been budgeted or rolled out, while archaic storage and filling systems are still rife.

This extends to letter heavy, high risk and highly un-GDPR friendly practices when dealing with individuals. It is exacerbated by the fact that local government organisations are dealing with the most sensitive special personal data types, notably children, in a B2C environment.

GDPR provides a real opportunity to join the dots between business continuity, risk and technology. It offers the chance to finally move from fear of regulation to fortification of reputation when dealing with data protection and processes.

The biggest challenge ahead of local authorities is that unlike the Data Protection Act, which the GDPR will replace, it is not a simple tick box exercise. Instead, organisations need to look at an overall risk-based approach. Transparency and accountability are the two principles that run right through the regulations, along with the fundamental rights of the individual to have their personal data protected.

From May 2018, ICO will be looking for three specific signs of progress on how all organisations are complying with the GDPR. The first sign is the appointment of a data protection officer (DPO), a senior executive who acts as an independent advocate for the proper care and use of customer information.

The skills required of a DPO are very specific. The DPO needs to be a senior person who can challenge the board and have the confidence to ask the right questions of the IT department as well as the council itself. There can’t be any conflict of interest, so organisations must avoid the temptation to simply repurpose their Head of IT as a new DPO.

The second sign, which sits within this new officer’s responsibility, is to oversee a data protection impact assessment, which ensures that organisations don’t over process personal data, don’t over collect personal data and always know where that personal data is kept. It’s important to recognise that the GDPR applies not just to electronic personal data but to hard copy personal data as well.

It is anticipated that there will be a huge rise in the number of subject access requests (SARs) from May 2018, when individuals can ask organisations to reveal and erase any personal data held about them. Without the groundwork outlined above, it will be extremely time consuming and potentially expensive to discover the right data.

The third sign focuses on industry best practice and whether your organisation has implemented a code of conduct that your staff are equipped and trained to follow.

According to the ICO, signing up to a code of conduct or certification scheme is not obligatory. But if an approved code of conduct or certification scheme that covers an organisation’s processing activity becomes available, they may wish to consider working towards it as a way of demonstrating regulatory compliance.

When the floodgates open to SARs and investigations by the Information Commissioner’s Office and Regulator, it will be vital to be able to demonstrate a direction of travel and to maintain accurate records of what changes and training have been carried out. These logs will be very important in the wake of a personal data breach post-25 May 2018 as doing the right thing will be deemed to be a mitigating factor by the regulator.

Green Park has partnered with Henley Business School to develop a Ten-Minute Guide to the GDPR countdown. It contains advice for everything from checking supplier contracts to ensure they guarantee compliance with the new regulation to appointing your DPO.
Act now by:

• Downloading the Green Park & GO DPO® Ten-Minute Guide to find out how to meet the obligations of the GDPR and deepen digital trust with customers, clients, supporters and employees.
• Watching the Green Park Answers with Experts video discussion between Raj Tulsiani and Ardi Kolah, Founder of GO DPO® and GDPR Transition Programme Director at Henley Business School.

Written by Andrea Trainer, Partner of the Public Sector Practice at Green Park, this article was published by The MJ. To download the full newsletter edition of The MJ, subscribe here.