Over four-fifths of UK councils still haven’t allocated budget for GDPR compliance, raising fears that they could miss the May 2018 deadline, according to M-Files.
The information management vendor sent FOI requests to all 32 London boroughs and 44 other local authorities across the country, and found 76% of London councils and 89% in the rest of the UK have yet to allocate funds to help prepare for the sweeping new EU legislation.
The firm also revealed that over half (56%) of local authorities haven’t yet appointed a data protection officer (DPO); a key requirement of the GDPR which could result in a fine of 2% of global turnover or up to €10m, whichever is higher.
The stats echo similar findings by privacy watchdog the Information Commissioner’s Office (ICO), which warned in March that local authorities could be falling behind.
That report claimed that a quarter of councils didn’t have a DPO, that only 17% had a complete Information Asset Register – a key step to knowing what data an organization holds – and 34% had yet to appoint Information Asset Owners (IAOs).
The study also found that a third (34%) of councils don’t do privacy impact assessments (PIAs) – another key requirement of the GDPR – and 18% hadn’t put in place data protection training for employees.
Local authorities must get better at data management, but their task is made more challenging by the increasing amounts of sensitive data they’re tasked with protecting, argued M-Files UK vice president, Julian Cook.
“However, the rules of GDPR are non-negotiable, so there needs to be a concerted effort over the coming months to make the necessary preparations for its introduction,” he added.
“This isn’t just the responsibility of IT experts – it’s about making sure that local authorities have the funds and resources to prioritize this, and that decision-makers outside of the IT department are aware of what needs to be done.”