For many organisations, the 25th May 2018 was a date that evoked fear, confusion and panic – marking the day by which all those dealing with EU citizens’ data had to be able to demonstrate General Data Protection Regulation (GDPR) compliance.
Many organisations felt under pressure and ill prepared as the deadline loomed. In fact, less than a third of respondents to a survey from Apricorn last year felt confident they would comply. When questioned further and asked whether there were any areas where they might be likely to fail, 81% could think of some area of the new requirements in which they might be non-compliant.
Now, just four months shy of the first anniversary of GDPR, we take a look at the impact of the regulation to date, in particular on local government.
The public sector was not exempt from the general air of panic surrounding GDPR compliance; in fact, the National Association of Local Councils predicted that the burden of compliance would cost the UK’s 10,000 parish and town councils £3.5m, in appointing data protection officers to fulfil all the necessary requirements.
As Sam Humphries, senior product marketing manager, global markets and compliance, at Rapid7 says: ‘With vast swathes of personal data in play, including the higher risk category of sensitive personal data, local government organisations had much to do in the run up to the GDPR. Implementing processes, procedures, and controls, aligning to the GDPR has been tough for many organisations, in both private and public sectors.’
Matt Lock, director of sales engineers at Varonis, also comments that: ‘GDPR presented a challenge to even large companies with the funding and expertise to set up enterprise-wide compliance programmes. Public organisations, including local governments, often lack these resources. They may be short staffed or using older, disparate operating systems.
‘In many cases, they know they need help in becoming GDPR compliant – it’s a matter of securing the resources to do so. Fortunately, it’s not too late to catch up on GDPR compliance. Rather than an end goal, it can be helpful to view GDPR compliance as an ongoing process.’
Keeping on the right side of the ICO
Humphries continues: ‘In this brave new world of EU-wide data compliance, we face tightened rules, new requirements, and the concern of significantly heavier penalties. It is definitely still early days. A few organisations have received enforcement notices or fines under the terms of the GDPR, and local government has not yet been impacted.
That said, the Information Commissioner’s Office (ICO) has issued penalties to local government organisations since GDPR came into effect, albeit under the previous rules of the DPA (Data Protection Act).
‘It is also fair to say that even now, eight months in, there are still areas of GDPR lacking absolute clarity, putting additional strain on organisations beyond the time, effort, and money spent in preparing.’
Despite being eight months in to GDPR, compliance within local government still appears to be an issue, as evidenced by the recent Chelmsford Council data breach in which more than 6,500 people found their data leaked online. While in that case the ICO did not issue a fine, the fact that breaches like this are still happening means that a fine is imminent, it’s simply a matter of time.
The road to compliance
What has become apparent since May 2018 is that many organisations should have already had much of the infrastructure and processes in place to support compliance, and these data protection practices should have been formalised and implemented consistently across the board.
Data or personally identifiable information (PII) can be found in abundance within public sector organisations, which means that identifying, mapping and securing it should be every organisation’s number one priority.
Back to basics is the best approach.
Organisations should review their existing security processes and technology to better understand their current security posture against compliance guidelines and best practices, identifying the gaps and putting a plan in place to address these areas.
They must ensure all employees have an understanding of the importance of GDPR and the role they play in keeping data safe. Training and education is essential, otherwise most other processes will be rendered futile.
The best form of defence is to make sure all data you have is as locked down as possible and all PII is encrypted on all devices. Organisations should research, identify and mandate corporate-standard encrypted storage devices and educate employees on their use to avoid the risk of a breach and being fined for non-compliance. The encryption of data should be a key element of any security strategy.
According to Humphries, it’s important that organisations keep an eye on developments to the GDPR framework. ‘The ICO’s website is an excellent resource for both recommendations and information on its activities working with organisations. Ultimately, May 25th 2018 was purely a point in time, and like a puppy, the GDPR is definitely not just for Christmas – it is a way of life now, we all need to be thinking GDPR every time we handle and process all forms of personal data.’
Lock adds: ‘The hardest part is getting started, however there’s certainly been an increase in GDPR awareness in local government over the past six months, which is encouraging.’
It can be easy for public sector organisations to panic at the cost and complexity of compliance, but focussing on basic security measures and best practice makes this a much more manageable task. Audit your security infrastructure and make sure your processes, software and hardware have security and encryption built into them. Exercise your internal processes against the EU citizen’s rights under GDPR (such as providing all data you hold on them in portable format) and create and test a data breach plan. Once these basics have been addressed the road to compliance will seem far smoother.
Jon Fielding is managing director EMEA at Apricorn