The General Data Protection Regulation (“GDPR”), which comes into force on 25 May 2018, will replace the Data Protection Act 1998. Many of the changes implemented by the GDPR will affect the current information governance practices of public authorities in Scotland. In particular, the GDPR will increase the risks associated with processing personal data given the significant increase in financial penalties for breach of the GDPR.
The ICO has published the results from its Local Government Information Governance Survey, together with guidance on the steps that local councils should take in order to ready themselves for the GDPR. The ICO received 173 responses (including over 10% from Scottish local councils) to the survey, which was open to all UK local councils, excluding parish and town councils.
The ICO guidance highlights the good practice that is already in place, but finds that many local councils have work to do in advance of the GDPR coming into force next year. For example, the survey found that a quarter of the local councils surveyed did not have a data protection officer (“DPO”). Further, 34% of councils surveyed did not conduct privacy impact assessments (“PIAs”).
With the ICO guidance in mind, here are some practical measures that public authorities can take now to help move towards GDPR compliance:
1. Conduct a personal data audit – In order to establish what needs to be done to comply with the GDPR, public authorities should conduct a personal data audit and analyse the legal basis on which personal data is currently processed within the various areas of their organisation. It is imperative that all relevant areas are considered and that appropriate stakeholders are engaged in the process, whether processing data about customers or employees.
2. Promote awareness of the GDPR through training – To ensure compliance, it is important that all staff understand the public authority’s obligations under the GDPR. In particular, all staff should be made aware of their responsibilities under the GDPR and of the processes for reporting data breaches.
3. Review and update privacy policies – It is essential for public authorities to review and update their existing policies in line with the revised ICO guidance to ensure GDPR compliance. Further, public authorities are reminded to renew their data protection policies annually and ensure that they have a specific policy related to data sharing.
4. Ensure DPOs are appointed and are compliant – Under the GDPR public authorities must appoint a DPO, who will report to the highest level of management, although a single DPO may be designated for a number of public authorities. It will be the responsibility of the public authority to ensure that its DPO is adequately resourced to enable them to meet their GDPR obligations. In some cases it may also be helpful to appoint a Senior Information Risk Owner to help manage information risks.
5. Be prepared to handle data subject access requests (DSARs) within the shortened timescale – Public authorities will have just 30 days (rather than the current 40 days) to respond to DSARs. Public authorities should consider their current DSAR process and whether investment in technology is necessary to facilitate searching and extraction of the relevant data within the reduced timescales.
6. Make preparations to deal with security breaches – The GDPR introduces a new requirement to notify the ICO within 72 hours of any data breach that is “likely to result in a risk to the rights and freedoms” of a natural person. In practice, that may be every single breach. Public authorities should implement appropriate procedures to ensure this timescale can be met.
7. Encourage privacy by design/default – Public authorities must be able to demonstrate compliance under the GDPR with the principles of accountability and privacy by design. Public authorities are advised to produce their own PIA processes and accompanying guidance and to ensure that privacy is embedded in any new activities involving data processing.
8. Be prepared for data subjects to exercise their new rights – The GDPR creates new rights such as the ‘right to data portability’ and strengthens existing rights such as the ‘right to erasure’ for data subjects. It is essential that public authorities review and, where necessary, amend their current processes to ensure compliance under the GDPR.