GDPR! 1 year on - 31.05.19Publish date: 03/06/2019
GDPR! One Year On - read an update prepared by LLG's National Expert on Information Management, Chucks Golding
GDPR! One Year On
The 25th May 2019 has come and gone. How have the changes of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 materialised in your organisation.
The opening phrase that I have used during the past year is that we have had 20 years of data protection under the Data Protection Act 1998. Data protection is not a new phenomenon for Councils. What GDPR has created is the need to "show and tell". 'What have you done to comply', and 'show me the evidence that demonstrates your compliance'.
What about documentation? Colleagues across the public sector spectrum highlight the increase of recording that has exponentially increased the need to show how records are being held, stored and more importantly appropriately discarded once it is 'no longer necessary' to hold the data. One of the self-assessment processes that first tier Councils' experience is the NHS Digital Security and Protection Toolkit which demonstrates that this self-assessment procedure requires a data flow for each pathway of data in and out of the Council.
Another change, though not widely announced, is the change to fees being paid to the Information Commissioner's Office (ICO) by Councillors in their capacity of Data Controllers in their own right. They are covered by their national party when completing constituency work and by the Council when working as a Councillor. The fee was being paid to protect Councillors acting as a Data Controller for the resident that they would be assisting and personal data would need to be shared. It does not appear that the removal of the fee reduced the responsibility of Councillors to be data protection savvy. Has this change raised the profile of the data protection responsibilities when inducting/refreshing Councillor training?
What about the contract variations and Data Sharing Agreements? Were you able to provide updated contract clauses or variation Agreements to the contracts that were live on 25th May 2018 and beyond? Who are you sharing data with and do you need an Agreement to demonstrate the responsibilities?
Then there is the Data Protection Officer (DPO) responsibility. Every public sector organisation, as defined in the FOIA, needs to appoint a DPO. Are you the DPO? Does your organisation know who the DPO is and the associated function and tasks. Does the organisation understand the advisory role and the remit of the DPO to provide options not decisions? Has your DPO had face-time with Senior Leadership and Members? Does the organisation know what to do if a complaint is received from the ICO? The aim of the DPO is to be the conduit between the ICO and the Council. A DPO action plan ensures that the DPO can keep the Council abreast of the responsibilities and as such aid the journey of compliance. And no piece would be complete without the consideration of Brexit! What does that mean for Council's and their responsibilities in regards to data protection?
The GDPR and its sister legislation the Data Protection Act 2018 is becoming a 'business as usual' regime. I call the GDPR/DPA18 the 'golden thread' of any Council. It is not a mainstream matter yet personal data and its use, storage and deletion should be considered as part of any project and be risk assessed to be either considered or left alone. Happy birthday GDPR!
Chucks Golding, LLG's National Expert on Information Management