Implementing GDPR in local government - where to prioritise

Pitney Bowes' Andy Berry gives a run-down for local authorities on what they need to do to become GDPR-compliant - before May next year

In 1995, Toy Story became the world's first wholly computer-generated film, the music charts (we're talking CDs, not downloads) were dominated by Whitney Houston and Mariah Carey, and less than one per cent of the world's population had an internet connection.

That year also saw the release of the European Union Data Protection Directive, but the landscape has clearly changed since then. Today's internet user base is 50-times the size it was in 1995, and the amount of information published online - especially personal information - has grown massively.

Facebook alone is 15 times larger than the entire internet was in 1995¹ and 90 per cent of the data in the world has been created in the past two years alone. So it's not difficult to see why data protection regulations needed updating. In fact - as you probably know by now - in May 2018 they will be replaced in the EU by the General Data Protection Regulation (GDPR), in the biggest-ever overhaul of data protection regulations to hit the UK.

The intention of the GDPR is to harmonise data security, retention and governance legislation across EU member states, using the ‘regulation' instrument to directly transplant the same law into countries across Europe, unlike a directive that is subject to subtle changes when it is translated into member states' legal systems by national parliaments.

Facebook alone is 15 times larger than the entire internet was in 1995

The GDPR requires public and private organisations to place a much stronger emphasis on data protection - or risk severe financial penalties for contravention.

The GDPR applies to all processing of personal data, from collection, through to storage, distribution, retention and protection of data, security and cross-border data transfer. Those that don't comply may be hit with penalties of up to four per cent of global revenue.

Although the new regulation has been public knowledge for a while, research has found that more than half of private sector organisations are not yet ready for it. The study by Veritas highlighted confusion over ownership, concerns about data storage, and worries about data loss².

A study of public sector organisations, however, presents a slightly different picture. Research by the Information Commissioner's Office³ found that whilst there is still work to be done to drive full GDPR compliance, many local government organisations already have the positions, structures and processes in place that will stand them in good stead next May.

For example:

• 75 per cent of councils have already appointed a data protection officer;
• 85 per cent of councils have data protection training for employees processing personal data;
• 81 per cent have mandatory data-protection training for all employees who process personal data;
• More than 70 per cent have mandatory data protection refresher training for all employees who process personal data.

Local government leaders should be assured by some of the positive outcomes of the study. At this stage, however - 12 months away from the regulation coming into play - it's critical to identify gaps and key milestones. Conversations with our clients in local government have helped us devises a checklist of ten key priorities for your organisation:

1. Know where your organisation is on the journey: consider a GDPR ‘readiness assessment' to help you identify priorities;
2. Assign ownership of GDPR compliance, and clarify roles and responsibilities;
3. Consider recruitment to fill any gaps: 44 per cent of respondents in the ICO survey did not have an information security manager, for example, and 35 per cent did not have an information governance manager. Once you have the key stakeholders, create a corporate information governance group, which meets monthly, or more regularly, as we near May 2018;
4. Review governance and procedures, update privacy notices and consents and ensure privacy impact assessments are carried out to reduce the risks of new processes or projects. The ICO research found 34 per cent of councils surveyed don't currently do this; likewise, 56 per cent of organisations did not have an information risk policy in place;
5. Sharing is caring: 37 per cent of councils did not have a data-sharing policy. It may be that this is covered by other policies, of course, but as collaboration and interoperability move firmly up the agenda, it's critical that the entire organisation, partners and suppliers are clear on this;
6. Educate your organisation on compliance best practice: clear desk policies, for example, help minimise risk as staff lock away all documentation at the end of each day;
7. Check your systems are fit-for-purpose: human error is one of the biggest causes of data breaches. Make it easy for staff to protect the data they generate and manage;
8. Make sure your physical communications are secure: data in both digital and physical form need to be managed, maintained and protected. Research shows that almost a quarter of security breaches relate to paper-based documents^4;
9. Document and communicate a clear, fast and structured process in the event of a data breach taking place: how would staff report it? How would you communicate it to council leaders and regulators in line with the new notification requirements? Would you have individuals available to manage communications and social media? What preventative measures could you take to stop the breach happening again?
10. Consider mobility. Although it may not be top of your agenda now, there will come a time when your staff want to work flexibly (if they're not doing so already). Make sure your data is protected however and wherever staff are accessing it.

Your organisation is a custodian of sensitive data: citizens place a huge amount of trust in you, with the information they share. Now, it is time for public and private sector organisations alike to repay this trust; to demonstrate transparency, honesty and credibility. The EU GDPR provides us all with an opportunity to do exactly that.

Andy Berry is vice president EMEA at Pitney Bowes Software, with 20 years in the business. Before joining Pitney Bowes Software, he was general manager of Wholesale Distribution at ERP software vendor Infor. He holds a degree in Computer Science from East Carolina University.

References:
¹ Source: Hiscox² Source: Businesswire.com³ Source: ICO⁴ Source: Canon

^{Disclaimer: this article is not designed to provide legal advice and you should not take, or refrain from taking, action based on its content alone.}