This article was originally published in The MJ

In just over a year, the General Data Protection Regulation will go live, transforming the way councils collect and store personal data.

When it comes into effect in May 2018, GDPR will lay down new rules covering consent to hold and process data, the right to be forgotten or to make subject access requests with regard to data held, and will raise the bar when it comes to protecting that data.

Game-changing data rules for councils

For councils, where the delivery of nearly every service relies on the storage and use of personal data, this is a game-changing piece of regulation.

Certainly, at any other time in the past, it would have been talked about in those terms.

The problem today is that it isn’t. In fact, with the deadline bearing down on us, there is a real worry that it isn’t figuring highly enough on the local government agenda.

With councils consumed by cost-cutting, introducing digital services and the accompanying change, this is hardly surprising.

But for any council CIO or leadership team which has yet to consider a plan for how they will arrive at the May 2018 GDPR deadline in a position of full compliance, now is the time to put the issue at the top of the agenda.

Compliance and consent: start now

The first task for local authorities is to understand that compliance with these new data protection rules isn’t just about changing process around data processing, safeguarding privacy and access.

Being GDPR-ready will also involve a potentially onerous amount of work ensuring legacy data was obtained in a way which complies with the new rules.

For all councils, this will involve an organisation-wide audit of data to check where consent was granted, find evidence that the consent was given in a way which complies with the new rules and to try to obtain consent for data where this is lacking.

For those under the age of 16 who cannot give consent, councils will need to check the validity of the person consenting.

Where evidence of consent is lacking, data will need to be deleted.

There’s also a new need for specific consent for use of sensitive data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership. This also covers the processing of genetic data, biometric data, health data and data relating to sex life or sexual orientation.

A matter of policy

To avoid falling foul of GDPR, organisations will need new policies around how they protect privacy and procedures which ensure data is handled in line with that policy.

As part of this, councils will need to uphold the right to be forgotten, where people withdraw their consent or want their data amended or deleted. They will also have to respond to subject access requests within 72 hours.

The role of IT

Most obviously, GDPR presents a major task of data cleansing and consolidation for IT teams. But beyond this there are other things that councils need to think about which are not immediately apparent upfront.

For instance, in our own preparation at Eduserv, we have found that some leading IT systems don’t allow for individual records to be located and amended or deleted. With this in mind, organisations need to make sure early on that their IT systems will support GDPR.

Another area to focus on is where, for financial, compliance or other legitimate reasons, data needs to be retained rather than deleted. This data will need to be anonymised or pseudonymised and may need specialist systems to carry this out.

A question of time

The good news for councils is that time is still on their side to deliver the changes demanded by GDPR.

Planning now will give organisations the opportunity to identify any issues with suppliers and pin-point potential problem areas within their organisations.

Councils will also be able to put in place processes to update or obtain new GDPR-compliant permission from individuals which also fit in with the new era of data-sharing in public services.

Lastly, by doing all of this sooner rather than later, councils will find they have in place the foundations they need to deliver better public services.

About the author

Jos Creese

As Principal Analyst, Jos acts as the face of our Local Government Executive Briefing programme, independently educating IT and business leaders on a range of business issues and technological challenges. Jos is an independent consultant specialising in helping organisations shift to digital operating models, especially in the public sector. With over 25 years' IT management experience, he has held a number of CIO and non-executive director positions, including with Hampshire County Council as CIO and CDO, supporting business change programmes enabled by IT and leading many IT shared services and IT partnerships in the region. He was president of the Society of IT Management in 2010 and is current president of BCS (the Chartered Institute for IT). He has been named the ‘most influential and innovative UK CIO’ listed in the ‘Top 100 CIO’ since its inception.

To get our advisers working seamlessly alongside your own team, email us or call 0844 5000 115