What all public-sector IT leaders need to know to be ready for GDPR

Written by Victoria Cetinkaya on 25 September 2017 in Opinion
Opinion

Victoria Cetinkaya of the Information Commissioner’s Office ​gives the organisation's top tips for government tech and data chiefs to ensure they are ready for new regulation next year

Whatever sector you work in, all IT leaders need to know about the new data protection law coming into effect next May.

The General Data Protection Regulation (GDPR) updates the current data-protection law and places additional obligations on organisations.There’s a misconception from some that the new regime is an onerous imposition of unnecessary and costly red tape.

That’s not the case. GDPR is an evolution in data protection, not a revolution.

Many of the GDPR’s main aims and principles are the same as those in the Data Protection Act. So, if you’re complying properly with the current law, then most of your approach to compliance will remain valid under the GDPR, and can be the starting point to build from.

However, there are new elements and some significant enhancements, so you will have to do some things for the first time and some things differently.

The GDPR will include new obligations for organisations. Public sector organisations will have to report data breaches that pose a risk to individuals to us at the ICO, and in some cases to the individuals affected.

Another key change for organisations is understanding the new rights for the public.

Consumers and citizens will have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it, and new rights around data portability and how they give consent.

Here are our top tips for getting ready for GDPR:

 

Accountability
Having access to people’s personal information means organisations have to act with great responsibility. 

At the centre of the GDPR is the concept of broader and deeper accountability for an organisation’s handling of personal data. Part of this is being able to show how they are complying with the GDPR which means keeping up to date records of any decision-making around data protection. Public sector bodies should implement appropriate technical and organisational measures that ensure and demonstrate compliance with the legislation. 

 

Privacy impact assessments
Another core component of the GDPR is the concept of data protection by design and default. 

One very important measure to show that an organisation has considered and integrated data protection by design into processing activities is the data protection impact assessment (DPIA) - currently known as privacy impact assessments, or PIAs. This is a tool which can help organisations comply with their data-protection obligations and meet individuals’ expectations of privacy by identifying and mitigating against risks to privacy. 

An effective DPIA will allow an organisation to identify and fix problems at an early stage of any new project or development, reducing the associated costs and damage to reputation which might otherwise occur.

That means organisations need to be thinking about privacy implications and data protection from the very start of projects or developments.

 

Having the right staff with the right knowledge
Lack of staff awareness and understanding of data protection is behind many of the security incidents our enforcement teams see in the public sector and has led to many of the fines we have imposed to date.

Any data breach or near miss should be seen as an opportunity to review current practices in how you handle personal data. Lessons learnt from an incident should be translated into improvements in how your organisation complies with data protection law. 

 


Help from the ICO
Our main aim is to help organisations get it right when it comes to using personal data – and that includes preparing for GDPR. There’s a wealth of material on our website to help. Pages on our website are dedicated to data protection law reform including GDPR. And, if you want to stay updated on new guidance, our e-newsletter is a good place to start. 

 

About the author

Victoria Cetinkaya is senior policy officer at the Information Commissioner’s Office

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

The public sector must be transparent on data use to gain citizens’ trust
30 May 2018

While GDPR is right to provide individuals with greater control over how their information is used, the benefits of sharing data should not be overlooked, believes Rose Lasko-Skinner of Reform

Overambitious transformation plans to cause ‘ugly scrambling for resources’, predicts NAO chief
18 July 2018

Auditor general Amyas Morse flags up three key issues that government must focus on to improve its work with private-sector suppliers

Hull to trial smart bins
18 July 2018

Council hopes pilot will show potential for enabling more efficient routes and timetables

Related Sponsored Articles

Don’t Gamble with your password resets!
20 June 2018

The cautionary tale of the Leicestershire teenager who hacked high-ranking officials of NATO allies shows the need for improved password security

Intelligent Connectivity: The Future of Networking - Delivering efficiency
16 July 2018

At BT, we realise that digital technology is changing the way we all do business. Make smart decisions with intelligent connectivity.

Intelligent Connectivity: The Future of Networking - Delivering innovation
9 July 2018

At BT, we realise that digital technology is changing the way we all do business. Make smart decisions with intelligent connectivity. With our network and know-how you can plan a smarter, more...