UK councils are struggling to become compliant with the European Union General Data Protection Regulation (GDPR). This shouldn’t come as a surprise given the challenges they experience managing information assets on a daily basis, according to Julian Cook, VP of UK Business at the information management software company M-Files.
A survey from the data protection regulator the ICO suggested that many councils have work to do, to comply with the new GDPR that will come into effect in May 2018. While the findings showed that “positive measures” were being put in place by councils, it also flagged concerns. Only a quarter of councils had a data protection officer in place, despite the GDPR mandate that requires that all public authorities to have one in place by the time the regulation is introduced. Some 15 per cent of councils did not have adequate training in place to support staff processing personal data. And a third, 34 per cent of local authorities didn’t have privacy impact assessments (PIA), again another requirement of the GDPR.
The ICO’s findings follow recent research from M-Files suggesting that the public sector faces challenges when it comes to managing information assets in the workplace. Roughly two-thirds (67 per cent) of public sector respondents in the research stated that they find locating information when in the office a challenge. Moreover, 71 per cent said they have had to recreate documents that already existed because they were unable to find them; a significant waste of taxpayers’ money and a clear indication that public sector organisations are struggling to keep track of their documents.
According to Cook, the ICO and M-Files findings raise important questions about the public sector’s ability to meet the regulation. He says: “The findings from both the ICO and our own research highlight the struggles those in the public sector face when it comes to managing their content, and ultimately it will be the taxpayers that will pay the price. Norfolk County Council is a prime example here, having just been fined £60,000 by the ICO for its mishandling of sensitive information; a fine that could have been considerably higher if the breach had occurred after the introduction of the GDPR. Incidents like this bring to light the importance of having an effective information management system in place to better track and secure information and to drive greater efficiencies.”
Councils need to take critical action now or face the threat of fines which the GDPR will bring with it. For example, organisations must know how to conduct data protection impact assessments (PIAs) – a legal requirement under the GDPR. They must also appoint a Senior Information Risk Owner to help manage information risk, as well as be able to monitor and benchmark the level of compliance through the use of compliance reports and KPIs to facilitate continual improvement. They must also have an Information Security Incident Management Policy in place, and provide comprehensive training to create a culture where security is front of mind for all staff.
Cook adds: “Additionally, the ongoing struggle of managing information assets shows the need to supplement this with an effective enterprise content management (ECM) system. ECM solutions can be critical in helping eliminate the content chaos that plagues so many businesses. ECM systems like M-Files, enable information to be managed in a much more intuitive manner, meaning employees waste much less time searching for a document that may be hidden amongst a plethora of folders. This will drive employee productivity and provide support in complying with industry standards.”
