Guest blog: Imogen Heywood, engagement lead, Centre for Information Sharing, on the recent data protection legislation and appearance on the UKAuthority Live GDPR webcast
Recently I took part in a livestreamed panel debate organised by UK Authority (in partnership with Civica Digital), designed to explore the how we’re responding to three new pieces of data legislation:
- General Data Protection Regulation (GDPR);
- Digital Economy Act (DEA); and
- new Data Protection Bill.
It was great to be invited to take part (if a little daunting being on camera), and particularly nice to be part of such an interesting and varied panel – with representatives from the Information Commissioners Office (ICO), Civica Digital, and the London CIO council.
As a non-expert on information governance, I thought I might be the only one highlighting the cultural and organisational change impacts of this swathe of new legislation. However, it was heartwarming to hear others agree on the importance of cultural factors.
It gave us the opportunity to talk about GDPR implementation as an opportunity for whole organisational change (which can’t be delivered by information specialists alone), and to ensure that we don’t lose the confidence and trusting relationships we’ve built up under the previous legislation.
Following the panel debate, I’ve continued to reflect on the GDPR, DEA and new Data Protection Bill. There are lots of things to think about within the many pages of these regulations, but three that have particularly struck me:
- We need to focus on the common ‘enabling’ elements. Yes there are noticeable differences between the legislation, not least the focus on individual rights within the GDPR whilst the DEA looks more at enabling government and the delivery of public services. However, there are a lot of common elements where we might better place our attention, such a transparency and communication. But for me the common point we mustn’t lose sight of is that, despite the use of the term ‘data protection’, this legislation is intended to support appropriate sharing of information, not prevent it.
- Building in privacy from the start is ‘investing to save’. Whether through the use of the 'privacy by design' approach developed by the ICO, or through the business cases advocated by the DEA, we need to make sure that privacy is taken into consideration in service design and programme management right from the start. This is more than just a case of spending the time required to comply; it’s about investing the time right at the start of your project to think about the data sharing and privacy issues. If left until the last minute, this could create problems and concerns that seriously delay the implementation of your ambitions. And if you’re worried that your information governance (IG) leads won’t want to be involved this early, don’t be. We’ve heard a clear message time and time again from our work with local places that IG leads want to be in from the beginning, not just a last minute addition to the project team.
- Who decides if data sharing is in the public interest? Within both the GDPR and DEA there’s a recognition that data sharing should be in the public’s interest (GDPR) or resulting in benefit for the individual or household whose data is shared (DEA). But in the absence of clear definitions, how will bodies delivering public services decide what constitutes public interest or individual benefit? This is a question I don’t have the answer to, but I do think it reinforces the need for the public to be involved in designing the services and data sharing processes intended to support them.
So, these are a few of my thoughts, but what do you think? With 25 May 2018 fast approaching, the Centre is looking for ways to support the public sector prepare for GDPR, and the introduction of the DEA.
So, what is happening in your organisation, and how can we help? Please email firstname.lastname@example.org to tell us what your GDPR and DEA cultural challenges are, and what support you’d like.
You can watch the full webcast featuring Imogen and other GDPR specialists by clicking on the link below:
“This article was first published by the Centre for Information Sharing on the 13th July 2017 Sharing in an article called You wait ages for data legislation and three come along at once"