It has been talked about for a long time but as of 25 May 2018 the General Data Protection Regulation (GDPR) applies directly to the UK and it will be incorporated into UK law by the Data Protection Bill.
There have been a number of reported cases involving data breaches within local authorities due to employee actions, not securing sensitive personal data through online systems and poorly designed apps. All of these led to fines for the offending authorities but also significant reputational impacts. Many of the headlines around GDPR have focused on the 'penalties and huge fines' that will follow, but the Information Commissioner's Office (ICO) has been working hard to get the message across that while the fines for breaches will be significant, the aim is to change culture and behaviour around data control and management. The biggest change will be accountability.
Understanding how we store and share data, what our audit trails of data are and how we deal with inaccurate information will be the main focus. When we ge tit wrong we will now be required to report a personal data breach that affects people's rights and freedoms no later than 72 hours after having become aware of it. This will be no small task. When reporting breaches it will need to include the potential scope and cause of the breach.
All public authorities must designate a Data Protection Officer but it is vital that everyone is involved in data management. Awareness of information security incident management policies, procedures and guidance, lessons learnt through briefings on incidents at their own or other organisations, reminders through emails, intranet, newsletters and team meetings are all good examples of disseminating the messages and these need to be done regularly.
ALARM has been supporting its members lead up to the introduction of GDPR by running sessions regionally as part of the networking opportunities connected with membership, specific whole sessions dedicated to the topic and article of stronger, ALARM's member journal. While GDPR is here, not all the answers are and perhaps while thinking about the risks there should be some reflection on the opportunities that could be presented as well. As an example better control of data can simplify and in some cases automate processes this in turn could lead to better ways of using the data for service delivery and better engagement with the public.