GDPR may be just four little letters, but it’s a colossal issue for organisations and businesses of all sizes. An acronym for General Data Protection Regulation, it represents how the law is changing in relation to data protection. And as local government and public sector organisations work with significant volumes of data – and data that is often very sensitive – GDPR, and getting compliant with it, should be at the forefront of all such organisations.
Recognising the critical work afoot, we are working with our local authority and public sector members to equip them with everything they need for when GDPR comes into full force in May 2018. One way we have been doing this is through our tailor-made workshops for small groups, where we have partnered with data specialists who have first-hand experience of working in local government. These aren’t workshops that focus on the theory, the background or the perplexing jargon. They’re practical, actionable and most of all designed just for local authorities and their staff – whether a CIO or a social worker; in an ICT team or at the front line. Find out more about our workshops at the end of this guide.
Working with Sandra Lomax of Baker Lomax Services, one such workshop went down a storm in Liverpool last month. Sandra, who was formerly Bradford Council’s information assurance director, united with local authority delegates from the region, including Blackpool, Cheshire West and Chester, Lancaster City, Liverpool, South Ribble and Wyre. Here’s what they explored…
Six snippets about GDPR
Before we consider the GDPR action plan developed through our Liverpool workshop, let’s take a look at the key points about GDPR that were central themes of the day – points you should keep in mind at all times…
- The UK’s current Data Protection Act of 1998 has been based on an EU directive of 1995.1 But 1998 is light years away from today’s information age, so GDPR looks to bring legislation up to date, reflecting a world where data is everywhere, and misuse of data is growingly unacceptable.
- It is in place now, but it only becomes enforceable from 25 May 2018.2 That’s less than a year away – the clock is ticking…
- It will happen irrespective of Brexit, as described by the Information Commissioner’s Office Elizabeth Denham in a September 2016 BBC report.3
- GDPR has brought with it a staggering level of guidance to consider. You can cut through this by going straight to the regulator, the ICO, for resources. Our particular favourite for local government is the ICO’s ‘12 steps to take now’ guide, which was last updated at the end of May 2017.4 At our Liverpool workshop, this guide formed a central part of the discussion and breakout sessions.
- The penalties for breaching GDPR will be huge – as much as €10million or two per cent of an organisation’s global turnover. One cyber security trust estimated that, with GDPR in force, last year’s £400,000 fine of TalkTalk by the ICO, would be in the region of £73million.5 For local government and public sector organisations, such a fine would not only devastate already-stretched budgets, it would damage reputation and jeopardise public trust.
- It might seem to be the preserve of ICT departments, but becoming aware of GDPR – and ultimately compliant with it – is the responsibility everyone in an organisation and it should be on the corporate risk register. Use these six points to promote the importance of GDPR in your organisation.
Getting primed for GDPR: the action plan
Our Liverpool workshop ran from 10:00 to mid-afternoon. In it, there were question-and-answer slots, breakout sessions and practical exercises. As you can imagine, there was a lot to cover, but the workshop concluded there are four key steps you should take to prepare for…
|Data controller?||<————||1. Explore|
what information you have, and where you hold it
|Data processer?||<————||———–>||Personal drives|
|Systems with children’s ages||<————||———–>||Spreadsheets|
|Data and information sharing agreements, including privacy impact assessments (PIAs)||<————||———–>||Where sensitive and personal data is held|
|———–>||Information asset owners|
|Records management – align to ICT systems||<————||2. Control|
and govern how personal data is used and accessed
|———–>||Policies and procedures:|
– Acceptable use
– Work from home
– Email deletion
– USB portable media
|Business continuity / disaster recovery – align to privacy risk and sensitive information||<————||———–>||Consent|
|Awareness – campaigns||<————||3. Notify|
Keep required documentation audit, with KPIs and details of updated, signed and approved policies
|———–>||No excessive information|
|———–>||72-hour reporting – including media strategy|
|Subject access requests – 30 days||<————||———–>||Extracts from policies|
|One in four board reporting – e.g. near misses, KPIs||<————||———–>||Training statistics|
|———–>||Leavers and movers – change system access|
|PIAs||<————||4. Keep secure|
Establish appropriate security controls to keep information safe, prevent unauthorised access, and detect and respond to vulnerabilities and breaches
|ICT kit disposal||<————||———–>||Cloud security – ISO 27018|
|Building security||<————||———–>||Cyber security|
|———–>||Information governance toolkit|
Want your own GDPR workshop?
The delegates at our Liverpool GDPR workshop were delighted with their bespoke plan-of-action created and presented by Sandra Lomax, an information specialist with first-hand experience of working in a local authority. Attendees were also impressed with the overall package, recognising that through Socitm, the training was premium quality with a price that’s right for the public sector.
If you would like the Socitm team to organise a workshop for you and neighbouring councils – or if you are interested and from other public and third sector organisations, get in touch today…
- Call Layla Flack on 01604 876370
- Email Layla on firstname.lastname@example.org
“I will actually use the four-stage guide as a practical application for the key decision-makers to get buy-in.”
“Absolutely worth my while!”
References and further information
- The ICO. 2017. Transparency, trust and progressive data protection.[Online]. [14 June 2017]. Available from: bit.ly/2dpvH0D
- The ICO. Date unspecified. Overview of the GDPR.[Online]. [14 June 2017]. Available from: bit.ly/2kWNdxQ
- BBC. 2016. Commissioner: UK ‘must avoid data protection Brexit’.[Online]. [14 June 2017]. Available from: bbc.in/2dxZ8D1
- The ICO. 2017. Businesses warned to prepare with one year until data protection law change.[Online]. [14 June 2017]. Available from: bit.ly/2r0oUog
- NCC Group. 2016. TalkTalk fined £400,000 by Information Commissioner’s Office.[Online]. [14 June 2017]. Available from: bit.ly/2sA2ueY