HappyAlex - Fotolia

London councils set aside more than £1.2m for GDPR

London councils have spent over £1.2m in preparation for new EU data protection laws, a think tank report has revealed

London councils have individually spent up to £300,000 on software, training and consultancy to prepare for the EU’s General Data Protection Regulation (GDPR) ahead of the compliance deadline of 25 May 2018, according to a report by the Parliament Street think tank.

Researchers conducting the survey under the Freedom of Information (FOI) Act found that Tower Hamlets council had the highest budget allocated, with £300,000 set aside for GDPR compliance. The council added that the cost of a dedicated project worker for 12 months on a salary of £49,514 a year has been committed.

Another council with a large budget is Redbridge council, which estimated a total budget of £110,689 for GDPR, with an extra £15,000 allocated for management software.

In contrast, the lowest level of spending came from Hounslow, which Parliament Street researchers that they had already spent £1,000 on staff training and materials, with an additional £4,000 allocated to the project for the rest of the year.

When it came to shared services, Newham and Havering Councils gave a collective response of £104,319 between them, which included a GDPR toolkit and a project manager. Sutton and Kingston allocated £50,000 between the two councils. Meanwhile Richmond and Wandsworth declared spending of £142,110.

Nick Felton, director of MHR Analytics, said that while data protection legislation is not new, the way in which public authorities collect, use and share information has changed significantly over the past 20 years.

“The GDPR is designed to add strengthen and unify existing law, and under this legislation London Borough Councils must understand what personal data they process, why they process it, how and who processes it and, importantly, the legal basis used to qualify the processing,” he said.

Read more about the GDPR

Felton said councils must provide adequate GDPR training to staff, carry out a maturity audit, and implement recommendations. They also need to assess if they have clear, concise and adequate use of privacy notices; a breach management strategy which meets the new compulsory reporting conditions; and the ability to fulfil data subject rights, which includes granting access, managing the withdrawal of consent, and the ability to manage privacy risk.

“This will be a huge undertaking and significant investment will be needed internally and through the use of third parties, in order to comply with the May deadline,” he said. “Data continues to be a key asset for all organisations both from a legislation and competitive perspective.”

Unsurprisingly, the survey found that councils with larger populations tended to have more significant resources set aside to deal with the greater volume of personal data.

The survey also found that most budget for GDPR spending is allocated to staff salaries and software, and that many councils have allocated budget specifically for staff costs to manage the GDPR processes.

This illustrated the level of education and information governance required across the entire organisation to implement the regulation and manage its implications, the report said.

The fact that London council’s all had a budget for preparing for the GDPR shows a higher level of awareness of the regulation than the capital’s businesses, with a recent London Chamber of Commerce and Industry (LCCI) survey revealing that nearly one in four London businesses are still unaware of the new data protection regulation.

Based on the Parliament Street survey finding, the report recommends that UK councils:

1. Consider implementing a shared services model for GDPR

The report notes that London Councils with shared service agreements have significantly lower overheads when it comes to GDPR management. This is because one IT model serves both organisations, enabling back-office processes to be audited and data to be managed efficiently by one IT team.

2. Use collective external resources to hire GDPR expertise

Many councils have invested in additional staffing to support implementation of the GDPR, and Parliament Street proposes that councils consider a shared agreement for hiring external agencies and consultants to support GDPR strategy. This could include agreeing discounted contracts with providers at a reduced rate, serving up to three councils in one package.

3. Develop a GDPR blueprint for London

London councils will all face similar implementation challenges around this legislation, the report said, which means it is logical that a collective roadmap is developed and shared between local authorities so that each has access to implementation strategies and information. This could include sharing best practice protocols and guidelines for overcoming challenges during the processes, the report said.

The GDPR represents a major challenge for the way local authorities approach data security policies and handle public information, the report said, adding that the implementation of these regulations and the ongoing adherence to them will require significant resources, including substantial IT expertise, consultancy and staff training.

With council budgets often severely overstretched, delivering these high standards successfully poses a huge challenge both to CIOs and council leaders, but the report said the increased regulation brings with it an opportunity to transform the IT strategies behind public sector service delivery.

“The time has come for local authorities to fully recognise and implement the benefits of shared services agreements, particularly with back office IT,” the report said.

“The sharing of GDPR consultants, sharing of data management policies and implementation strategies will in turn reduce costs and create a more efficient example of local government in action.

“Shared services present a very exciting opportunity for building a leaner, more efficient local council infrastructure, and GDPR provides the perfect platform to test it,” the report said.

Read more on Privacy and data protection

Data Center
Data Management