tashka2000 - Fotolia

Many UK local councils still unprepared for GDPR, ICO survey shows

The ICO fines the Norfolk Council as it publishes GDPR guidelines for local councils after a survey revealed not all were up to speed in preparations to comply with the new data protection law

Many local councils still have work to do to be compliant with the EU General Data Protection Regulation (GDPR) by the enforcement date of 25 May 2018, a survey has revealed.

A quarter of councils do not a data protection officer (DPO) although the GDPR requires all public authorities to have one, according to the Information Commissioner’s Office (ICO).

The ICO survey of 173 councils conducted at the end of 2016 also found more than 15% of councils do not have data protection training for employees processing personal data, and a third of councils do not do privacy impact assessments, even though these will be required in certain circumstances by the GDPR.

In the light of these findings, the ICO has posted a blog highlighting guidance available to help councils achieve compliance.

The GDPR is a new law set to replace the Data Protection Act (DPA) 1998, and it will apply in the UK from 25 May 2018. The government has confirmed the UK’s decision to leave the EU will not affect the commencement of the GDPR.

In February 2017, digital minister Matt Hancock told the House of Lords EU Home Affairs Sub-Committee that the GDPR would be implemented in full.

He said the UK government made the decision because the GDPR is a “decent piece of legislation” due to “significant” UK negotiating successes during its development, and it will help ensure the UK is starting from a position of “harmonisation” rather than a position of difference in Brexit negotiations.

Read more about GDPR

Anulka Clarke, ICO head of good practice, said the “overarching conclusion” from analysis of the survey results was that although there is a lot of good practice out there, many councils have work to do to prepare for the GDPR.

The guidance coincides with news that the ICO has fined Norfolk Council £60,000 for a data breach involving social work files.

The breach came to light after social work case files were discovered in a cabinet purchased by a member of the public from a second hand shop.

“We will issue fines where necessary, but we’d much rather work with councils to help them prevent data security incidents,” said Clarke.

“That’s why we undertook this survey, to find out where the problems are, and why the ICO will be on hand in the run up to May 2018 to help councils in their GDPR preparations,” she said.

Setting high standards for data privacy

The ICO said the GDPR sets high standards for organisations when it comes to the privacy of personal data.

Having the right staff and procedures in place will be key to ensuring councils look after personal information properly and comply with the new rules,” said the ICO.

Under the DPA, the ICO can impose monetary penalties of up to £500,000, but under the GDPR, organisations will face fines of up to €20m or 4% of annual worldwide turnover, whichever is greater.

This means that if data breaches remain at the levels of 2015, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the Payment Card Industry Security Standards Council (PCI SSC) calculated, based on the maximum fine of 4% of global turnover.

For large UK organisations, this could see regulatory fines for data breaches soar to £70bn, more than a 130-fold increase, rising to an average of £11m per organisation. Regulatory fines for small and medium-sized enterprises (SMEs) could see a 57-fold increase, rising to £52bn and averaging £13,000 per SME.

Read more on Privacy and data protection