Insight Local Government Lawyer Insight February 2018 27 whichever is greater. This far exceeds the current maximum of £500,000. Top practical tips Local authorities should put in place mechanisms to ensure that steps taken towards compliance with the GDPR are demonstrable – the GDPR requires not only that organisations are compliant with the law, but also that they demonstrate how they are compliant. In order to avoid the financial and reputational risks of non-compliance, here are some of the key areas that local authorities should consider in their GDPR preparations: ● The role of data protection officer is required under GDPR ● Implement data protection training for staff and refresher training at least every two years ● Ensure that data protection and information security policies, as well as data sharing policies, are in place and reviewed annually ● Complete an information asset register to determine what information they hold, where it is held and which information asset owner is responsible for it ● Conduct privacy impact assessments in certain circumstances ● Establish a proper incident management process for information security breaches to ensure that the new 72-hour reporting deadline is met ● Local authorities should also consistently monitor and benchmark their levels of compliance through compliance reports and key performance indicators. As information available from the ICO suggests that human error accounts for almost half of all data breaches, given the size of the local government workforce, having the right staff and procedures in place will be key to ensuring local authorities do not put personal information at risk and break data protection law. Complex organisations such as local authorities on the frontline of public service delivery are in a tricky position. There is so much organisations can do when handling data to make that data less vulnerable to exploitation. Digital hygiene is essential to protect people’s personal information, limit the exposure of sensitive data in the event of a breach and mitigate reputational damage. And with the biggest legislative changes to privacy compliance on the horizon, we are seeing cyber security moving higher up the agenda for information governance teams across the country. Kerry Benyon is a partner and expert on data protection at Acuity Legal www.acuitylegal.co.uk In need of Insight at your desk? Local Government Lawyer Insight will be published four times a year and is circulated free-of-charge to all newsletter subscribers in electronic format. Hard copies will also be circulated to all local authority legal departments in England and Wales. Additional printed copies are available for just £49.95 for four issues. Multiple copies are also available at £149.95 for five or £249.95 for 10. Payment can be made by purchase order/invoice or by credit/debit card. To order, please call 0207 239 4917 or email firstname.lastname@example.org. Digital hygiene is essential to protect people’s personal information, limit the exposure of sensitive data in the event of a breach and mitigate reputational damage. And with the biggest legislative changes to privacy compliance on the horizon, we are seeing cyber security moving higher up the agenda for information governance teams across the country.