Local Government Lawyer Insight February 2018 LocalGovernmentLawyer 22 As the Data Protection Act (DPA) expanded the effect of the 1984 version, on 25 May 2018 the General Data Protection Regulation (GDPR) will make significant changes which the enabling UK legislation might moderate but will not reverse. Applying the DPA, the Information Commissioner’s Office (ICO) in the last year alone has taken enforcement action in respect of a number of local authorities. This has included fines for failing to keep personal data secure, being vulnerable to cyber attacks resulting in unlawful disclosure, inadvertently publishing personal data and leaving sensitive personal data in furniture given to a charity. Similarly, the ICO has required undertakings from some local authorities in relation to failures to provide data protection training to staff resulting in data breaches. The current state of play in relation to achieving GDPR compliance is also evident in the ICO’s survey of local government. The results show that whilst local authorities have established good practice in many areas, there are also key deficiencies against obligations contained in the GDPR. Some of the deficiencies identified from 173 responses include: ● 26% do not have a Data Protection Officer (DPO); ● More than 30% do not undertake Privacy Impact Assessments (PIA); ● More than 50% do not follow certain standards such as the Payment Card Industry Data Security Standard; ● Some councils do not have key policies in place such as PIA (56.1%), Data Sharing (37%) and Subject Access (27.7%); ● More than 15% do not have mandatory data protection training for employees who process personal data and 29.6% do not have mandatory refresher training; ● For 53.5% completion of training is not a precondition for accessing a council’s network or systems Whilst local authorities may well be on their journey to prepare for GDPR, for those that have not begun, they now have only a limited time in which to ensure that their data processing activities are GDPR compliant. This article lists some of the topics which we are discussing with clients in the public sector in light of the GDPR, current state of compliance in the public sector and enforcement action by the ICO. Consent The 1998 Act allows for two grades of consent for normal or sensitive personal data to be processed. Under GDPR consent must always be given by a statem ent or clear affirmative action clearly distinguishable from other matters. This means organisations cannot simply embed the requirement of consent within their terms or application form, especially when the consent is for something different to the reason for making the contract or application. Also the use of pre-ticked opt-in boxes is no longer permitted. Records of consent obtained by an organisation need to be retained. This is a requirement under Article 7 of the GDPR, and may be requested by a supervisory authority. Individuals also have the right to withdraw their consent at any time. The GDPR states that ‘it must be as easy to withdraw as it was to give consent’, which will require changes in many websites and other processes. It is important to check that processes for gaining consent and keeping records are GDPR compliant. If existing DPA The deadline for compliance with the General Data Protection Regulation is fast-approaching. Dan Milnes and Nat Avdiu outline the key steps that local authorities need to take before May 2018 GDPR countdown: what the public sector needs to know