UK councils urged to prepare for GDPR now

Some of the changes could be onerous and problematic, warns Socitm's Dr Andy Hopkirk

Councils have been urged to review their information governance arrangements and prepare for the incoming General Data Protection Regulation (GDPR) now.

The Society of Information Technology Management (Socitm) said that with both the new EU data protection regulations coming in and the new EU-US Privacy Shield arrangement replacing the Safe Harbour agreement, local government organisations needed to ensure they were completely compliant.

According to Socitm, UK public sector organisations will be able to at least "operationally" use US cloud service providers as they currently are, under the new EU-US Privacy Shield.

Meanwhile, new EU data protection legislation will replace the existing Data Protection Directive. The law will be updated to accommodate the likes of social media and cloud computing, which were not known when the UK's own Data Protection Act was made law in 1998.

The new regulations will represent a major change in the way that personal data must be managed for any organisation that does business in, or with, the EU. National supervisory authorities will be asked to enforce these laws, with the power to impose significant penalties for non-compliance.

Individuals will get easier access to their own data under the new regulations, and have more information on how it is processed. They will also be able to more easily transfer their personal data between different service providers and, depending on the circumstances, they will have the right to have their data deleted.

Organisations who want to process people's data will need more explicit consent to do so, while organisations who are victims of data breaches could be fined up to four per cent of their annual turnover.

"Accommodating the changes will be a matter of amending existing processes rather than inventing new ones," said Dr Andy Hopkirk, head of research at Socitm.

"Some of the changes could be onerous and problematic. For example, councils will need to be able to deal correctly and completely with ‘right to be forgotten' requests - perhaps the single greatest challenge in an almost ubiquitously networked and distributed computing world," he added.