ICO survey shows many councils unprepared for GDPR

March 21, 2017

Many councils are not ready for the implementation of the General Data Protection Regulation (GDPR) next year according to a survey conducted by the Information Commissioner’s Office (ICO).

The survey completed by 173 local councils at the end of last year, found that a quarter of councils have yet to appoint a data protection officer while just over a third (34 per cent) of councils have yet to set up a system of data protection impact assessments, both of which will compulsory after the Regulation takes effect in May 2018.

Anulka Clarke, ICO Head of Good Practice, said: “The overarching conclusion from our analysis of the survey results was that, although there is good practice out there, with GDPR coming in May 2018, many councils have work to do. Adhering to good practice measures under the Data Protection Act will stand organisations in good stead for the new regulations.”

The ICO is concerned about the public sector as it holds large amounts of personal data across a wide range of services. The regulator recommends the establishment of an Information Asset Register (IAR) at each council to help ensure it knows what information it holds, where it is and which ‘Information Asset Owner’ (IAO) is responsible for it. However, the survey shows that only 17 per cent of councils have a complete IAR and that 34 per cent have yet to appoint IAOs.

Clarke said: “Councils still need to be complying with the DPA in the run up to the implementation of GDPR. Adhering to good practice measures under DPA will stand organisations in good stead for the new regulations. We’ll be updating the dedicated GDPR section of our website regularly with more information and guidance.”

The ICO is offering audits, an index of guidance and a helpline service to help councils prepare for the GDPR and is launching a blog highlighting guidance available to help councils achieve compliance with the new General Data Protection Regulation (GDPR)

Clarke added:“ The overarching conclusion from our analysis of the survey results was that, although there is a lot of good practice out there, with GDPR coming in May 2018, many councils have work to do to prepare for the new GDPR.

“Just today the ICO fined Norfolk Council for a data breach involving social work files. We will issue fines where necessary but we’d much rather work with councils to help them prevent data security incidents. That’s why we undertook this survey, to find out where the problems are, and why the ICO will be on hand in the run up to May 2018 to help councils in their GDPR preparations.”