Privacy watchdog the Information Commissioner’s Office (ICO) has warned that the UK’s local councils have plenty of work to do ahead of May 2018, when sweeping new European data protection laws come into force.
The ICO reached out to local government late last year to find out more on their information governance practices, but found some worrying gaps, according to head of good practice, Anulka Clarke.
Specifically, a quarter of councils claimed they still don’t have a data protection officer (DPO) – a key requirement of the forthcoming European General Data Protection Regulation (GDPR).
An ICO spokesperson confirmed to Infosecurity Magazine that as it stands, organizations that don't appoint DPOs could be in line for a fine of up to €10m or 2% of global turnover.
Clarke added that councils should also think about establishing an information asset register (IAR) to “help ensure a council knows what information it holds, where it is and which information asset owner (IAO) is responsible for it.”
Currently, only 17% of UK councils have a complete IAR and 34% have yet to appoint IAOs, she revealed.
In addition, 18% of respondents claimed they haven’t put in place data protection training for employees handling personal data – which Clarke claimed was “concerning”.
She urged councils not to forget to train temporary staff and to conduct annual refresher training for all employees.
The study also found that a third (34%) of councils don’t do privacy impact assessments (PIAs) – another key requirement of the new European regulations.
PIAs are a central pillar of the privacy-by-design approach mandated by the GDPR. The ICO has released a code of practice which could help here.
The research also revealed some local authorities are lacking adequate incident management processes – 4% of don’t have an Information Security Incident Management Policy and 22% don’t consider reports and KPIs for information security breaches.
“The overarching conclusion from our analysis of the survey results was that, although there is good practice out there, with GDPR coming in May 2018, many councils have work to do,” Clarke argued.
“Adhering to good practice measures under the Data Protection Act (DPA) will stand organizations in good stead for the new regulations.”