GDPR is everyone's responsibility
UKA Live's debate on GDPR gives valuable pointers for compliance with the General Data Protection Regulation next year, writes Chris Doutney, managing director of Civica Digital
It’s less than a year until the General Data Protection Regulation (GDPR) comes into force, and public sector organisations need to be able to hit the ground running in complying with its demands.
There is no avoiding it. The Queen's Speech made clear that GDPR will be enshrined in UK law with a new Data Protection Act. And there will be no excuses.
I recently took part in a lively debate hosted by UKA's Helen Olsen Bedford, alongside Victoria Cetinkaya, senior policy officer at the Information Commissioner's Office (ICO); Imogen Heywood, engagement lead at the Centre of Excellence for Information Sharing; and David Tidey, chief information officer of the London Boroughs of Wandsworth and Richmond and chair of the London CIO Council.
During our discussion, the ICO's Victoria Cetinkaya stated that the ICO expects public sector organisations to be compliant with the new legislation when it comes into force on 25 May 2018. Any public authorities that are not yet making preparations need to begin the job, soon.
Encouragingly, an audience poll during the live broadcast found that 83% were making preparations and confident of being ready, but an alarming 17% had not yet started their GDPR journey and were not confident that they would be ready by the deadline.
The magnitude of the task should not be underestimated. There are new requirements and new responsibilities that will fundamentally change the way in which we all handle personal data and, as a consequence, how we deliver services.
The first steps in preparation involve understanding the key principles of the GDPR and their implications for managing people’s personal data. It builds on the existing Data Protection Act (DPA), but makes clear that any personal data is on loan from the subject, not the property of the organisation that holds it.
Advisable next steps
There has been plenty of talk about the ‘right to be forgotten’, but this is not all pervasive. According to the ICO's Victoria Cetinkaya, if an authority has to process personal data to carry out a statutory public task then it is not required, even if requested, to delete the necessary details on a person.
But the right to be informed about holding the data and how it is used will be stronger than ever, and there will be a heavy onus on organisations to demonstrate their compliance. The ICO already issues fines for data protection breaches and those that fail under the GDPR could be in ine for even heavier fines.
This is a strong enough incentive for any public body to get to grips with the GDPR from day one, and the discussion threw up a handful of advisable steps.
A useful starting point is to carry out an audit of your information assets, looking at the basis on which information is held, its purpose, level of detail, the level of consent required and whether you need to inform people that you have it. A key element of the GDPR is that it raises the standard of consent within the DPA, and there are likely to be plenty of instances in which this has to be refreshed.
Assessing the risks to people’s privacy in using data and how to mitigate them is a major issue. The ICO provides a valuable tool in the form of guidance on privacy impact assessments, leading the user through basic steps to identify risks, outline how they can be managed, what safeguards could be needed, whether a plan should go ahead or whether it is a step too far.
While this is a precaution, it can also provide an opportunity to build 'privacy by design' into an organisation’s processes and its use of IT, meeting the terms of an emerging area of best practice in public and private sectors.
An organisation-wide issue
The GDPR must be recognised as an issue for the whole organisation and there is a need to communicate the requirements of the GDPR with consistency throughout the organisation - from top to bottom - making sure that different messages do not emerge from different departments. This should prevent any confusion and ensure all staff and teams have a clear view of how they should manage personal data.
All organisations need an internal debate on the effects of the GDPR, the security of personal data and what safeguards are needed. Rather than relying on one or two lead officials, the internal debate has to reach up to the boardroom at an early stage in order to help build internal trust throughout. From the chief executive officer down, the leadership team should be the first to be involved in the conversation, and their support will be crucial in spreading awareness and good practice through the ranks.
As well as efforts to encourage all staff to ask relevant questions and make suggestions, there needs to be efforts to build peer learning and knowledge forums, both internally and externally, across the public sector and extending to the private sector.
The role of technology
Of course, IT systems are going to play a significant role in compliance, and the conversations have to extend to suppliers to ensure that they are on board with the changes. It is an issue that Civica has been taking seriously for some time, building a line of capability around the GDPR - including the enhancement of our product roadmaps and additional services such as readiness assessments and a single customer view - to support an organisation’s journey towards compliance.
Working alongside a strategic partner, we also have a platform that connects organisations to individuals to generate informed insight from informed consent.
Nobody pretends that all this is straightforward, and any organisation will have to inject a significant resource into the effort, with a clear focus and the will to drive it through. But don’t be overwhelmed by the task at end. For those organisations who haven’t started preparing, or who still have a way to go, you’ll need to start by developing a roadmap of activities that includes proportionate, risk-based investment, and pushes you gradually along your GDPR journey.
Undoubtedly, meeting the challenges of the GDPR will be difficult in the current climate of austerity, but it has to be done. But organisations shouldn’t see it as just a piece of red tape. The GDPR gives us the opportunity to lay the groundwork for better transparency and improved interaction between citizens and the organisations that deliver services to them. Those organisations that can hit the ground running next May will be well placed to build trust with citizens, transform services, and be sure they have a firm legal foundation for change.
Can't watch the full video? Then listen to our Podcast / Audio version
As published by UKAuthority