Some public bodies are still not taking the General Data Protection Regulation seriously. The extent of the change means that they should
With just a year to go until the General Data Protection Regulation (the GDPR) comes into force, a worrying number of public bodies are still unprepared.
As a regulation under EU law, the GDPR will apply automatically across the UK on 25 May 2018. Reflecting the current uncertainty about how the measure will be applied, the Department for Culture, Media and Sport last week opened a call for views on possible exemptions where the UK has the freedom to allow them.
However any hopes that the GDPR will fade away post-Brexit are wishful thinking. On top of its commitment to leave the EU with all existing European legislation in place, the Government has committed itself to amending the current 1998 Data Protection Act so that it meets the GDPR’s standards. Ministers see this as essential to preserve confidence in the continued free flow of data between the UK and the EU following 2019.
“It’s definitely going to come in to force in the UK,” says Stephen McCartney, director of information governance at Royal Mail Group.
Among other provisions, the GDPR expands the definition of personal data to cover, for example, location, cookies and IP addresses. It introduces new concepts including “sensitive data” such as biometric information.
Subjects of the data will have new rights, such as the right to erasure (and to be forgotten), as well as to restrict the processing of their personal details. Consent for personal data to be processed must be “freely given, specific, informed and unambiguous” – a pre-ticked box will no longer do.
For sensitive data, consent must be explicit. In the case of a challenge, the onus will be on the organisation to demonstrate that consent was given.
The Information Commissioner’s Office found earlier this year that one quarter of councils do not have a data protection officer (DPO), which public authorities are obliged to appoint under the regulation. More than 15% do not run data protection training for employees who process personal data, and a third do not conduct privacy impact assessments, which will be a legal requirement under the GDPR in certain circumstances.
Solicitor Ibrahim Hasan, director of Act Now training, says that for the first time data controllers as well as data processors are required to appoint a DPO in three situations:
- Where the processing is carried out by a public authority or body. Public authorities and bodies are not defined in the legislation. The guidance says this is a matter for national law. It is fair to say that all bodies subject to the Freedom of Information Act or the Freedom of Information (Scotland) Act will be covered by this requirement – for example councils, government departments, the health sector, schools and emergency services. It is likely also to cover private companies that carry out public functions or deliver public services.
- Where the core activities of the controller or the processor consist of processing operations which require systematic monitoring of data subjects on a large scale.
- Where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences
It will be good practice to appoint a DPO in some cases – for example, where private organisations carry out public tasks. This could include companies delivering core public services under an outsourcing arrangement – for example housing maintenance companies or charities delivering social services. A group of undertakings may appoint a single DPO provided that they are easily accessible and there are no conflicts of interest.
Resources and independence
The DPO must be qualified for the job, provided with the resources to do it, and allowed to perform tasks in an independent manner, reporting to the highest level of management without fear of being penalised.
Jackie Gray, a partner at law firm Bond Dickinson, told the Lawyers in Local Government weekend school last month: “The DPO needs to be someone who is either a lawyer or is well versed in information governance, but not someone who is necessarily in IT.”
It is already clear that there is a shortage of professionals with the skills and that some public bodies are burying their heads in the sand. A straw poll at the event suggested that two-thirds of councils represented were actively planning for the GDPR. One in 10 was just starting to think about a plan.