What does GDPR mean for local councils?
The General Data Protection Regulation, the compliance deadline for which came into effect in May 2018, is one of the most high-profile pieces of legislation in years. The new EU-wide law, adopted in Britain under the Data Protection Act 2018, has greatest ramifications for social media giants and consumer-facing multinationals, but its stipulations also have major consequences for local councils, given the range of sensitive data they hold.
The new regulation demands long-term compliance, so local authorities must build data protection into the fabric of their organisation. The question ‘how do local councils share information’ has never been more important.
Driven by development of technology and the exponential growth of data collection, GDPR increases the rights of individuals over their data while imposing far more stringent responsibilities upon the organisations that process it. GDPR enshrines the ‘right to be forgotten’ – the ability to have one’s personal information removed from the internet – as well as giving individuals greater powers to obtain information from organisations that hold their data, and withdraw consent for their data to be used at any time.
On the other hand, any public and private sector organisation that handles large amounts of data is now required to appoint a dedicated data protection officer, or DPO, to oversee its GDPR compliance. Such organisations must also provide relevant training to all staff and respond to any subject access request (a petition from an individual to see the personal data held on them) within one month. When seeking consent, organisations must do so clearly and transparently; ‘opt-out’ tickboxes are no longer permissible. Any serious data breaches must be reported to the Information Commissioner within 72 hours, and the maximum fine for such errors has risen from £500,000 under the old legislation (witness Facebook’s recent fine) to £17m – meaning the impact of costs incurred from malpractice are likely to be considerably higher.
But what does GDPR mean for local councils, in practice? Well public authorities at all levels must comply with the new regulation, and its sheer weight and complexity will impose a considerable cost for smaller public bodies. But what exactly does GDPR mean for local councils, and what will the impact of costs associated with the new regulation be? Well in one sense it’s good news, as Bilal Ghafoor, a freelance GDPR consultant who has worked with several local authorities, explains: “The key thing to note is that most councils process most of their data under statute. Pretty much 95% of all the data they process is because the law tells them to. You don’t have a choice around your tax, benefits or social security data, you have to provide it. So, councils don’t have to go out and ask for consent in a lot of cases – they generally only need to do so for seriously peripheral stuff, like organising summer camps for children. That makes things much, much easier.”
Yet this is counterbalanced by a lack of funding which makes it hard for councils to compete with the private sector when recruiting data protection officers. Authorities at all levels must appoint a DPO, apart from parish councils – the National Association of Local Councils estimated it could cost local councils upwards of £3.5m so it successfully campaigned to secure an amendment on the data protection bill exempting parish councils from the requirement to have a data protection officer. They are now being forced to compete with billion-pound companies for the best talent. The problem is exacerbated by the fact that many public bodies are playing catch-up; a survey last March found that one in four councils had yet to appoint a DPO, meaning they are having to get up to speed in an extremely competitive market.
“Austerity has bitten very, very deeply and the market for data protection staff remains very, very buoyant,” Ghafoor adds. “It makes it very difficult for councils to recruit the right kinds of people. The sort of people who work as DPOs could very easily go out and double their salaries in the private sector and that narrows the pool of people who will work for you.”
To maximise the return on their DPO investment, councils are advised to build a clear picture of what the role entails for them, looking closely at their core data processing activities, before beginning the interview process. The Article 29 Working Party, which scrutinised the EU’s data protection laws in the run-up to GDPR, offered a number of mandatory guidelines on key qualities to look for in a DPO, emphasising the need for them to be ethical and honest, with a forensic understanding of data protection as well as strong communication skills and a firm grasp of what the organisation does. Even if the cost seems prohibitive, councils should resist the urge to promote someone unsuitable from within, or outsource the job to an agency.
There are several other key steps councils should take to ensure best-practice compliance with GDPR long into the future. The others can be summarised as follows:
Study the legislation thoroughly. This may sound obvious but it’s hugely important in formulating an effective strategy. The Information Commissioner’s Office provides a highly effective guide on its website, which is regularly updated with new and relevant information.
Consider what constitutes personal data. A helpful definition is provided by Basingstoke and Deane Borough Council in its own GDPR guide, which describes personal data as “anything which can identify a living person, either directly or indirectly, and includes identification numbers, location data and an online identifier.”
Keep the audit focused. “A data audit is a very fancy term,” Ghafoor says. He adds that audits should as meaningful and granular as possible; councils should focus on the practicalities of their own data processing activities and the risks they entail. It’s good practice to compile an information asset register – similar to an IT asset register which lists all the laptops in the organisation. The register should detail where all the data is, and how it is used.
Be ruthless. All existing contracts which involve the processing of personal data should be examined in detail and any which are now outdated, obsolete or out of step with GDPR should be redrafted. Any records which were obtained improperly must be deleted.
Make everything really clear. Clear, concise and intelligible communication is a formal requirement of GDPR, so in a sense this one’s a given. But councils should take this directive to its extreme, making sure their privacy policies and consent forms are so clear that anyone can understand them, no matter their level of English. Try to keep the forms as short as possible and make sure the ‘opt-in’ section is clearly marked and explained.
Make sure IT systems are up to date. Councils should check their IT systems to ensure they allow people the right to be forgotten, as well as providing strong firewalls and filtering systems. If their IT providers don’t currently provide this, councils should push them to include it – or look for another provider. A number of specialist GDPR compliance tools are now available too.
Train staff for real-life situations. Councils should think about problems which could expose sensitive information in the real world – for example a team member leaving their work phone unlocked on a train, or opening their work laptop in a busy coffee shop. Staff, permanent and temporary, should be trained in how to avoid these potential issues.
“Most screw-ups happen because of people, not software,” Ghafoor says. “So, make sure you have protocols in place to minimise risk. At one organisation I worked at, if you saw a computer left unlocked, you were supposed to email that person’s head of department with your own name and the subject ‘UNLOCKED COMPUTER’.” That sort of thing empowers people and everyone soon gets the message.”
Having taken these initial steps, councils then need to think about the long-term. GDPR isn’t a one-off thing: genuine compliance implies constant monitoring and adapting to future changes. With new forms of social media emerging all the time, councils’ workloads evolving to include new services and hackers getting ever more sophisticated, the DPO and their team must keep evolving.
Councils should keep stress-testing their security infrastructure to see whether it provides effective protection. They should continuously re-evaluate their training to check that it’s effective and is resonating with their team. Any time a new piece of technology comes on stream, an effective protocol must be put in place to deal with that technology falling into the wrong hands – even if it’s something as simple as a portable USB drive.
Above all, it’s about creating a culture which ensures that data protection is taken seriously throughout the organisation. Appointing the right DPO is a good start but councils can’t expect one person to ensure GDPR compliance all by themselves. With the right culture, everyone in the organisation will feel responsible for the council’s data protection and will have the motivation to uphold it.
“´Privacy by design’ is one of the key GDPR requirements and that will have a real impact,” Bilal Ghafoor says. “Privacy is woven into everything. So DPOs need to sit in on all kinds of meetings and if they see something wrong, they’re empowered to go straight to the CEO. Organisations are obliged to ensure that DPOs are always involved.
“But culture change needs to happen. Councils need to think of this as a long-term process, and the harming of individuals’ rights and freedoms for non-compliance outweigh any difficulty or inconvenience the process causes.”