momius - stock.adobe.com
The Department for Work and Pensions is set to spend £14.73m to prepare for the EU’s General Data Protection Regulation (GDPR), a report by the Parliament Street think tank reveals.
The spending will cover a programme of education and awareness activity for all staff, system remediation and a review of the existing records’ storage arrangements, according to the policy paper entitled GDPR: The impact on government.
The report is based on freedom of information (FoI) requests sent to all the major UK government departments asking for a breakdown of expenditure on GDPR preparation to date and projected spend for the remainder of the calendar year, but only four departments responded.
The policy paper examines the steps being taken by central government departments to ensure compliance with the new legislation, including spending on staff training and software. However, the report makes no reference to the fact the UK government will soon introduce its own domestic data protection legislation.
The Data Protection Bill is currently making its way through parliament, and when enacted, will introduce legislation that is highly aligned with the GDPR, with similar requirements and punitive measures for non-compliance in an attempt by government to ensure data flows between the UK and EU are unhindered post-Brexit.
The Parliament Street policy paper said researchers discovered significant variations in spending between departments and respective agencies, with most departments planning to spend much less than the DWP.
Of the government departments to respond to the FoI requests, the Department for Transport (DfT) is the next highest spender on preparing for the GDPR, but has allocated a total budget of £547,000, nearly 27 times less than the DWP.
Read more about GDPR
- UK surveillance laws a potential ‘sticking point’ post-Brexit.
- The GDPR audit power is being outpaced by technological advances in data analytics, says ICO.
- The ICO is playing a full role in EU institutions, and is “fully immersed” in creating guidance for the GDPR, says Elizabeth Denham.
- GDPR focus shifts from the sanctions to the benefits.
- How to be prepared for GDPR by 25 May.
The DfT has spent £147,000 to date preparing for the regulation. This figure includes some time from internal staff assisting with the preparation for the department.
Of this figure, £23,000 was spent on staff training and £72,000 on hiring contingent labour. The remaining amount is costs associated with existing, internal, staff who have been working on GDPR preparation, where those costs have been recorded.
The department said that for the rest of the year it estimated a further spend on GDPR of £400,000.
The Ministry of Justice has a similar budget allocation of £543,31. It has spent £154,218 to date on GDPR preparations. This included £145,430 on software and £8,788 on GDPR-specific training for staff.
For the rest of the calendar year, the department plans to spend a further £24,182 on GDPR training and £364,911 on software.
The Treasury has a total allocated budget of £200,783 for the GDPR. It has spent £90,483 in the financial year of 2017-2018 and projected £78,800 in 2018 to 2019. It had also allocated £30,000 on learning and development and £15,000 on E-Discovery tools.
An increasingly complex process
The report notes that the implementation of the GDPR within central government is an “ongoing and increasingly complex” process. With departments of varying sizes, managing and sharing large volumes of public data and private information requires careful consideration, the report said.
Analyst house Gartner estimates that around 60% of organisations are likely to miss the GDPR compliance deadline of 25 May 2018. Most organisations cite a lack of budget and not enough staff knowledge to implement changes.
Key recommendations in the policy paper include increasing staff training on the fundamentals of the GDPR, sharing best practice between departments and collaborating with external specialist companies for support during implementation of the regulation.
Because managing the GDPR across government requires a broad array of skills, the report said it is likely that the process can be improved through collaboration with private companies and specialist organisations. “Too much of this work is managed ‘in-house’ and external organisations should be given the opportunity to contribute to the process,” the report said.
Peter Irikovsky, CEO, Exponea said that the GDPR presents significant financial and operational challenges for government departments, which are tasked with securely processing large volumes of personal data.
“A major concern with this legislation is that many organisations are rushing to meet the impending deadline, hiring in external consultants and resources without being entirely certain that the changes made will deliver complete compliance,” he said. “As such, there is a real risk that many departments could be GDPR compliant in theory, but not in practice, due to the complex nature of their software vendors, many of which aren’t taking GDPR seriously.”
According to Irikovsky, organisations should consider independent, external certification of GDPR capabilities to guarantee compliance. “By raising standards through certification, departments can be sure they are adhering to these new regulations, protecting the organisation from financial penalties and delivering high standards of data management to the public,” he said.
With just one month to go before the deadline for compliance with the GDPR, organisations should ensure they are able to meet minimum requirements to defend against adverse scrutiny, according to Stewart Room, data protection lead at PwC in the UK and globally.
“Organisations should be focused on the minimum viable product that they should be delivering in a month’s time to achieve the necessary outcomes,” he said.