Should local authorities take simple steps towards GDPR compliance?

Organisations across the UK could face huge fines if they are found to be non-compliant against new General Data Protection Regulation (GDPR) which will be enforced from the 25^th May

Local authorities are concerned about their capabilities to fund the required changes that are needed to support GDPR guidelines.

The National Association of Local Councils (NALC) highlighted the issue of brought financial strain facing local authorities in becoming compliant with General Data Protection Regulation.

However, Tim Waterton, Senior Director of UK Business at M-Files has assured local authorities that there are simple and effective methods that can be adopted to become more compliant.

“The GDPR is a demanding piece of legislation that many organisations, particularly those in the public sector, are struggling to get to grips with.

Indeed, the Cloud Industry Forum last year found that just 10 per cent of public sector respondents were completely confident that they understood the regulation, and only 6 per cent stated that their organisation was completely prepared for it, indicating the scale of work needed to ensure compliance.

The ongoing squeeze on public sector budgets won’t be helping this situation, but while some level of investment will be needed to support GDPR, this doesn’t need to be unduly expensive.

Local authorities are typically responsible for a huge volume of information, with data spread across multiple systems and used in a variety of ways by many departments. By creating a centralised personal data registry or information asset registry, it allows you to understand what data exists within your systems, where it is located, who has access to it and who it is shared with.

Once you understand what data you have in your possession, you can then see how that information links to your different systems, processes, policies and procedures.”

Waterton added:

“With the deadline for GDPR looming, scaremongering is sure to shift into overdrive. In truth, few companies will be 100 per cent ready by 25th May, but even for public sector organisations currently struggling, it’s important they can demonstrate to the ICO that reasonable steps are being taken.

Understanding where your data sits and how it is managed is a great starting point.

The question we should perhaps ask is whether using that information to close a few key gaps with process improvements is likely to be viewed positively by the ICO? My guess is that it will be; alongside enhanced staff training on information management responsibilities and ensuring that everything you do is thoroughly documented.

Ultimately, the GDPR should be seen more as an opportunity for renewal and improvement, and less of a compliance tax.”

The EU General Data Protection Regulation will replace the current Data Protection Directive and has been designed to protect data privacy for all EU citizens. The regulation also aims to tackle how organisations handle data protection for their customers.