Due to become law in May 2018, the General Data Protection Regulation (GDPR) is going to affect all UK businesses and organisations regardless of size. The changes will present challenges to local authorities, especially for smaller towns and parish councils who have limited budgets.
Local authorities gather and hold personal data across a wide range of services, from calculating the cost of council tax to informing their community about refuse collection services. This means that they can be categorised as both a Data Processor and a Data Controller and under the regulation, they will need to follow strict rules about personal data which go even further than those set out in the UK Data Protection Act 1998.
At the end of 2016 the Information Commissioner’s Office surveyed 173 local authorities about their preparations for GDPR and found that:
- 34% don’t perform privacy impact assessments
- 25% don’t have a Data Protection Officer (DPO)
- 15% haven’t trained employees in personal data processing
These three areas are of vital importance in the regulations and, without addressing these areas, local authorities will find themselves facing monetary penalties.
While the ICO’s survey showed that the vast majority of those interviewed had trained their staff on the UK Data Protection Act (UKDPA) 1998, 15% haven’t considered the changes that GDPR will bring.
It is vital that all staff are trained properly as the cost of non-compliance with GDPR is larger than those seen under the UKDPA.
Make sure that training sessions are held to take participants through their responsibilities under GDPR using topics such as:
- how to control, process and store personal data safely and lawfully
- limiting and controlling access to private information
- implications for any existing regulations being followed e.g. the Freedom of Information Act
- handling consent and the rights of data subjects e.g. the right to be forgotten
Local authorities will also need to assign a Data Protection Officer (DPO) – no matter how small they are. This may cause budgetary issues for smaller authorities such as town or parish councils, especially when it comes to finding the funds for a new position. This could be addressed with a shared role as it is possible for a DPO to hold another position within an organisation, providing the duties of this position doesn’t conflict.
Some Local authorities may already have processes and systems in place that cover some aspects of the GDPR. The survey from the ICO indicated that a worrying 37% of those surveyed did not have an existing Data Sharing Policy, something you would have expected if they were to be compliant with the Data Protection Act already in place.
Regardless of which processes are already in place, local authorities will find that all areas must be reviewed and updated to ensure compliance. These reviews are not just a one-off either, due to the constant evolution of cyber security in general it is important to regularly review data policies to ensure the best possible protection is achieved at all times.
Councils should pay particular attention to establishing an incident management process, implementing an Information Asset Register and performing Privacy Impact Assessments. Not only are these processes great ways to ensure GDPR compliance – Privacy Impact Assessments and reporting data breaches in good time are both requirements under GDPR – but they can also increase public confidence in general.
Due to the nature of the information that local authorities hold, it may not be possible to remove data when a person invokes their right to be forgotten under the GDPR. For these type of cases, where data must be kept for legal reasons such as financial regulatory compliance, the data subject should be removed as much as possible, perhaps through use of a pseudonym or anonymity. This is a complex and specialised area and local authorities, or more specifically their DPO, may find they need extra help here.
Privacy by design is the main focus of this regulation. Organisations need to be thinking about why they are obtaining data and how they will stay GDPR compliant when introducing new processes and systems, not just existing ones.
For more information about the GDPR, the Guide to General Data Protection Regulation website from the ICO goes into specific detail about the law and your responsibilities under it.