From May 2018, organisations across the EU will need to tighten their approach to data protection. The General Data Protection Regulation (GDPR) is the most thorough data protection legislation the EU has ever seen, and its largest overhaul in over 20 years.
Failure to comply could lead to $22.7 million fines, or 4% of an organisation’s total turnover. Despite this, a quarter of councils in the UK have not yet appointed a data protection officer, a requirement under the new rules. (At least until the UK leaves the EU, it must comply with the new regulations.)
“GDPR is not intended to instil fear and impose unnecessary restrictions on how data can be shared and used,” said Peter Wells, head of policy at the Open Data Institute (ODI). “The public sector first needs to work together to overcome the false narratives, understand how to comply with the legislation, and how to turn it into an opportunity.”
Alongside specialist data protection officers, the GDPR requires both private and public organisations which handle personal data to put in safeguards, provide training and develop a process to deal with data breaches. How should public sector organisations prepare for the changes? Apolitical spoke to Anulka Clarke, Head of Assurance at the UK’s Information Commissioner’s Office (ICO), to ask what government needs to do now to make itself GDPR-ready.
Is government, particularly local government, aware of the incoming law changes with the GDPR?
There’s definitely an awareness of GDPR and the fact that it’s on the horizon. With local government what we’re finding is it’s difficult to get a measure of whether that message is getting out across the whole organisation, or whether it’s just focused with those who have that specialist knowledge of information governance.
There’s an awareness in those information governance roles but is there a wider awareness within and across organisations? We’re not really getting that message.
What does government need to do to prepare for the changes? What are the priorities?
Organisations, we hope, won’t be starting from scratch. We’ve already got existing data protection legislation in the UK so organisations that are already complying with the Data Protection Act 1998 should be in a really good position to be complying with GDPR going forward.
What GDPR does do is put a lot of elements that we’ve always recommended as good practice on to a legislative basis. For instance, the issue around appointing a data protection officer: we’ve always recommended it as a practice, and now public authorities will be required to do that under GDPR. Similarly, reporting data breaches to our office as the regulator: we’ve always recommended that if there’s a high-risk breach and sensitive data involved, it should be reported to us, and the individuals affected by those breaches should be informed.
Those are the two key areas, but another is the concept of privacy by design: building privacy considerations into new projects and new processes that organisations are developing – at the beginning of the process, rather than as an add-on right at the end.
Every council needs a data protection officer (DPO) under the new legislation, but what should they be doing?
There are a wide range of data protection professionals within local authorities, many with a lot of experience – we do see that already when we go out to speak to them and when we’re auditing them.
I think the key thing about the DPO role under the GDPR is that it has to sit at quite a particular level. There needs to be that accountability and that reporting mechanism built straight into senior management. There needs to be freedom and independence to the role so that they are able to question decisions being made within the organisation around personal data and highlight risks.
I think that’s the distinction you see between a lot of the roles at the moment. They might be middle-level managers who are advising on data protection but who don’t have that seniority, that experience, that freedom to speak, and that’s really key and integral to the role of the DPO.
The knowledge is there, it’s just making sure that when that DPO role is formalised under the GDPR it just sits at the right level within the organisation.
Does government need to make contingency plans in case of data breaches?
It’s about risk analysis: understanding the risk to the data that you hold and whom that data comes from. It’s about understanding that risk, mitigating the risk where you can do, and asking whether it’s proportionate to the benefit of this data processing you’re doing, not just for informational needs but for the individual and their privacy.
In your worse case it is about contingency planning, so if something does go wrong, you know how to recover from that, recover the data, and make sure people aren’t affected by a potential breach. They need to have processes in place to report that to the ICO.
Is local government well enough protected against breaches which result from their external data processors? How can it safeguard against these?
At the moment, under government legislation, all the responsibility sits with the organisation itself, the data controller. They’re responsible for ensuring that the processor is complying with their instructions.
GDPR shifts some of that liability to the processor, so there are additional responsibilities that the processors need to understand. Despite this, a lot of that liability will ultimately still sit with the controller and they need to have appropriate governance of their relationship.
Obviously with the contract that’s in place, with any processes they’re using, controllers need to make sure that data protection, security breach reporting, are built into those contracts, and also that they’re continually monitoring compliance of the data processors; making sure that they are actually following the instructions that the controller has given to them.
What should local government do to train its staff?
Training has to be embedded culturally across the organisation. We did see a percentage of organisations that weren’t doing any training, and then some that aren’t doing annual refresher training, which is really key to reinforcing that message. You can’t just do it once and then have employees who might be there for twenty years without any further training.
It’s that cultural embedding of it. When letting people have access to systems, again that’s about understanding the risks that are there. There may be some basic systems that staff can have access to before they’ve had full training. Meanwhile, some local authorities say that people shouldn’t have access to that more sensitive level of data without having more detailed training: that needs to become the norm for organisations. They should instill that training and make sure staff understand it before they’re allowed to access particularly sensitive data.
Is there a danger that local government will simply delete all the personal data they hold – will the GDPR discourage data sharing?
I don’t think it necessarily should discourage data sharing and analysis of big data: there are some real efficiencies to be made from using data like that, and real benefits from intra-government data sharing.
The GDPR doesn’t stop that, it just makes organisations understand why they’re sharing and working with data: is it appropriate, is it fair to the individuals and is it necessary? Those are the things they need to be thinking about, and already should be thinking about under the current legislation.
We’re hearing anecdotally that organisations have just decided that it’s just easier to delete everything and start again. I don’t think that most local authorities are in a position to do that and we’ve not seen that actually happening in practice.
What should government not do?
The main message for organisations is not to panic about GDPR. They’re not starting from scratch, they should be in a good position from where they are in terms of the current legislation. As an organisation we are trying to push as much guidance as we can out to organisations before May next year; there’s a lot on our website and we also offer audits to organisations such as local authorities to review their compliance and give recommendations about how to improve. Organisations can approach us if they have any concerns about their compliance and we can risk assess them.
Ultimately, the GDPR puts that extra step in about recording decision making and recording what’s happening with data. I think it just makes organisations stop and think about why they’re doing things, and makes sure they’ve got a good reason for doing it.
You can find out more about how to prepare your organisation for the GDPR at the Information Commissioner’s Officer’s dedicated guidance page here.
(Picture credit: Pexels)