24/Apr/2017
The GDPR will take effect under UK law from 25th May 2018. We are officially on a countdown to when everyone must be compliant. In March 2017 the Information Commissioner’s Office released a report examining the results of a survey conducted on local government to assess their information security posture and general readiness for the new General Data Protection Regulation.
The conclusion of the report was:
“The overarching conclusion from our analysis of the survey results was that, although there is good practice out there, with GDPR coming in May 2018, many councils have work to do. Adhering to good practice measures under the Data Protection Act (DPA) will stand organisations in good stead for the new regulations.”
The report showed that while local government does take information security seriously, there is still much for them to do to become and remain compliant once the GDPR comes into effect.
Local governments are data heavy organisations that process significant amounts of personal data; from financial information to family and housing information. All this information is ‘personal information’ and is processed by local governments to allow them to provide their services to the public. They must maintain confidentiality, availability and integrity of the data they collect. The reputation of local governments and the trust the public places in them are extremely important. The GDPR places the burden of keeping the data subject informed on the data controller (local government) as opposed to previously where it was up to the data subject to ask. Local government are subject to greater scrutiny due to the amount of information they must deal with and the fact that they are the sole source of these services, meaning the data subjects have no choice but to deal with them. Their ability to demonstrate compliance at any time is key to maintaining this trust.
An important feature of the GDPR is the inclusion of severe fines for those that are non-compliant. The idea behind these increased penalties is to make the cost of non-compliance significantly higher than what it would cost for organisations to become compliant. In addition to the fines applicable for non-compliance, in the event of a data breach, as well as the damage caused to the reputation of the organisation and the customers trust in their ability to protect their personal information, local governments will also face potential law suits from the individual damaged parties.
The consequence of local governments being the sole provider to many services, such as social work and child protection, is the need to collect vast amounts of data and store it for prolonged periods of time in data warehouses. Local governments are not immune to data breaches or malicious attacks, in fact these large data warehouses make them even more attractive targets to attackers. While ensuring the relevant hardware and software are in place to protect the data, best practices are vital to preventing data breaches due to human error. Adherence to the GDPR enforces these best practices on organisations.
Local governments are large organisations with very complex supply chains. This means there are more points of failure and potential sources of vulnerability for the data. The GDPR puts the burden of checking that the entire supply chain is compliant with the data controller. This results in an elevated risk level and increases the need for local governments to maintain supply chain visibility and observe its compliance posture. In the event of a data breach local governments should be able to provide evidence that they checked that their supply chain was compliant and the risk level to both themselves and the data subject was minimum.
There has been much debate over whether the GDPR will apply to UK organisations post-Brexit but the UK Government have stated unequivocally that the GDPR will apply to everyone post-Brexit. Local governments will need to set the example for industry and ensure that best practice is implemented.
As mentioned earlier, we are fast approaching the deadline to become GDPR compliant and as the ICO’s survey shows, there is much still for local governments to do. There are several options to pursue.
CyNation developed CyReg™ GDPR to help government agencies and businesses become GDPR compliant. With an easy to use, step-by-step approach and lots of help and guidance along the way, compliance management was never easier.
The GDPR is new and therefore few companies out there can provide qualified consultancy service or good quality compliance assessment. Not to mention all of them come at a very high price.
Using tools like CyNation’s CyReg GDPR, local governments can see where they need to improve to become and remain compliant as well as reduce the overall risk to not only the organisation but the data subjects also.
Resources
contact@cynation.com
+44 020 3190 5000
PopHub Leicester Square
41 Whitcomb Street
London WC2H 7DT
contact@cynation.com
Oude Udenseweg 29
5405 PD Uden
The Netherlands