UK local councils failing on key GDPR requirement

Most UK local authorities are unable to meet the EU General Data Protection Regulation’s right-to-be-forgotten requirement, and nearly a quarter of firms have yet to hire a data protection officer

Almost seven out of 10 UK local councils are unable to erase personally identifiable information from their systems, according to data collected in response to freedom of information (FOI) requests.

This indicates that local authorities are struggling to meet the financial, personnel and process requirements of the EU’s General Data Protection Regulation (GDPR).

The inability of 69% of local councils to meet a key requirement of the GDPR was revealed by FOI requests sent to 32 London boroughs and 44 other local authorities by data management firm M-Files.

From 25 May 2018, any organisation holding EU citizens’ personal data will be required to erase that data at the request of the data subject.

Locating customer data is likely to be the biggest challenge to fulfilling personal data erasure requests under the GDPR, according to a study published by the Blancco Technology Group in May this year.  

Julian Cook, vice-president of UK business at M-Files, said the responses to the FOI questions about preparedness for GDPR suggest that the public sector needs to become more proactive in tackling personal privacy issues, which sit within the wider arc of compliance with the GDPR.

“The right to be forgotten is arguably one of the most challenging aspects of GDPR, which places the onus on organisations to introduce smarter measures around data protection and controls, including how the personally identifiable information [PII] of EU citizens is collected, stored and shared,” he said.

Cook said this is particularly true for the public sector, where such data is commonly trapped within information siloes and duplicated across different systems and repositories.

“The net result is that public sector organisations often do not have a full picture of the data on their systems, so completely erasing personal data becomes infinitely more challenging,” he said.

Read more about GDPR

According to Cook, radical changes to how public sector organisations manage their information will be needed if they are to meet the GDPR compliance deadline.

In preparing to comply with the GDPR, a key focus for local councils should be on implementing technology systems that streamline the management of personal data, and are compliant in key facets of the regulation, including the right to be forgotten, said Cook.

With just nine months to go before the GDPR compliance deadline, technology could play a significant role in automating and simplifying many PII-handling processes, said Cook.

A similar survey of IT security professionals about GDPR preparations has revealed that many are banking on help from machine learning technology.

Some 55% of more than 300 security professionals polled by security firm Imperva at Infosecurity Europe in London in June 2017 said they believed AI (artificial intelligence) or machine learning technology could bear some of their considerable workload in the next three to five years, with 27% suggesting it could even be within the next year or two.

Not hired a DPO

The poll also revealed that while 79% of represented organisations are preparing for the GDPR, 22% have not yet hired a data protection officer (DPO).

Article 37 of the GDPR requires controllers and processors of personal information to designate a DPO when the processing is carried out by a public authority or when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.

This means that relatively small companies could be required to appoint a DPO if they meet the requirements, while some large organisations will not have to bother because they do not.

According to the Imperva poll, of those respondents with no DPO, 52% are not planning to hire a DPO until the second half of 2018 or beyond – after the GDPR compliance deadline. Just 29% said they plan to hire a DPO this year, and 19% said they plan to hire a DPO in the first half of 2018.

Of those organisations that said they had a DPO, 67% said the DPO was a member of staff, and 11% said they had outsourced the DPO function.

“A crucial takeaway from this survey is that companies need to be engaging with GDPR compliance now,” said Imperva CTO Terry Ray.

“The fact that a high percentage of respondents said they had already hired a DPO is encouraging. GDPR will rear its head in ways that nobody predicted, so engaging early and being ready for every possibility is absolutely crucial.”

Read more on Privacy and data protection