Majority of boroughs unable to meet GDPR 'right to be forgotten' requirements

Seven out of ten boroughs unable to identify all personally identifiable information, warns M-Files

The majority of local authorities in the UK are not yet able to comply with the ‘right to be forgotten' requirements of the incoming General Data Protection Regulation (GDPR), which will become law on 25 May next year.

Research by information management company M-Files, conducted via a series of Freedom of Information (FOI) requests, found that all 32 London boroughs and 44 other local authorities across the UK found that 69 per cent of the local authorities are not able to effectively erase personally identifiable information (PII) from their systems - a critical requirement of the new regulation.

Updating systems in time for the new Regulation will require identifying software utilising personally identifiable information and re-writing it accordingly - at a time when HMRC's updated IR35 rules is putting off many contractors from working in the public sector.

Alternatively, local authorities will need to upgrade or replace software packages, lock, stock and barrel.

Julian Cook, vice president of UK business at M-Files, suggested that the public sector needs to become more proactive when it comes to tackling personal privacy issues, which sit within the wider arc of compliance within GDPR.

"The right-to-be-forgotten is arguably one of the most challenging aspects of GDPR, which places the onus on organisations to introduce smarter measures around data protection and controls, including how the Personally Identifiable Information (PII) of EU citizens is collected, stored and shared," said Cook.

He continued: "This is particularly true for the public sector, where this data is commonly trapped within information siloes and duplicated across different systems and repositories.

"The net result is that public sector organisations often don't have a full picture of the data on their systems, so completely erasing personal data becomes infinitely more challenging. Radical changes to how public sector organisations manage their information will be required if they are to be compliant when the regulation comes into force."

While the Information Commissioner's Office (ICO) has indicated that it won't come down hard on organisations that fail to comply with GDPR from day one, but which can demonstrate efforts to improve their level of compliance, Cook believes that local authorities should focus on implementing technology solutions that streamline the management of personal data, and are compliant in key facets of the regulation.

"The essence of GDPR is to ensure that explicit policies and procedures for handling personal information are in place, but with less than a year before the go live date of 25th May 2018, the findings present a fairly concerning picture as to how prepared councils are.

"Because of this the door is open for technology to play a significant role in automating and simplifying many of these processes," said Cook.