Event report: Brexit or not, we will still have the GDPR
Harnessing your Data to Enable Change - Image credit: Alistair Kerr Photography/Holyrood
“Having come from academia, where you are very often only one lecture ahead of your students, that’s kind of how we feel in the ICO at the moment; we’re one lecture ahead of you guys in terms of telling you what to be doing for GDPR,” Maureen Falconer, Regional Manager – Scotland, Information Commissioner's Office (ICO), admitted to a Holyrood seminar on data management.
“We can certainly help with preparation, but how it’s going to look is still a bit of an unknown at this moment in time.”
GDPR, the General Data Protection Regulation, stringent new EU regulations on data protection that will come into force in May 2018, affecting both private and public organisations.
The Holyrood and OpenText data seminar, Harnessing Your Data to Enable Change, looked at what those in the public sector need to consider in their preparations for the major changes, with speakers from data regulator the Office of the Information Commissioner, the Scottish Government and Data solutions provider OpenText, as well as a panel of those who are currently engaged in the process.
Data sharing is a major issue among public organisations, Falconer said, which should make things smoother for the customer, but, she added, as well as having to be done according to current data protection regulation and human rights legislation, GDPR is going to “change things, absolutely”.
And Brexit will not provide a get-out clause for complying with GDPR: “We still don’t know that question as to when it’s actually going to happen, but what we do know from our perspective…whether we’re in, whether we’re out doesn’t matter, data protection is going to look like and feel like the General Data Protection Regulation, so absolutely that’s what we’re heading towards,” said Falconer.
She went through a number of key changes and areas to think about for organisations. One of those will be that public bodies will need to have a data protection officer in place, and it’s a much bigger role than the current information manager.
She said: “This data protection officer roll for the public sector is pretty major. You’re talking about somebody that’s up at the SMT [senior management team] level or at least has input into that level, you’re talking about a lot of autonomy.
“You’re talking about somebody that has got to know all of the processes in the organisation and, that’s the person that we’re going to be liaising with, hopefully, as the regulator.
“So, yes, I think it’s kind of beyond the current IG [information governance] pay grade as it were. It needs to be up there. And that’s going to have resource implications for public authorities.”
Under GDPR organisations will have to notify the information authority within 72 hours of a data breech or risk a fine, so the person in charge will need to know what’s going on.
A key issue Falconer raised for public authorities is consent for use of data because it is complicated by the power relationship between, for example, a council and a local resident.
Consent cannot be implied, there is not ‘soft opt-in’, where if someone doesn’t say they don’t consent, it is taken as consent; consent must be a “specified, informed, unambiguous indication of the data subject’s wishes”.
However, doesn’t need to be a written statement, it could be verbal, as long as there is a procedure in place for managing and for recording consent.
But where use of data is a requirement for a public body to carry out its function, and it is not realistically possible for someone not to give consent because by refusing to do so they would not receive a service, then it is not consent you are relying on for processing the data, Falconer explained.
Falconer said: “Where there is a clear imbalance between the relationship of the data subject and the data controller, and a public authority is going to be in that imbalance, then consent is perhaps not the appropriate condition for processing.
“What GDPR is attempting to do here is push public authorities towards their statutory functions and making you rely on your statutory functions, so it would be legal obligation, duties under statute to provide certain services, so where you have that duty under statute then consent is actually not the condition to be relying on at all. You’d be relying on your legal obligation to do something.”
Helen Findlay, Data Protection and Information Assets Team Leader for the Scottish Government said that key driver for the Government in implementing GDPR was maintaining public trust.
“It’s very important that the public trust us to handle their personal data well. And especially in the light of a lot more public services coming up to Scotland in the Scotland Act.”
Running through some key issues other organisations should be considering, she raised the need for “comprehensive records of all data processing activities including the purpose of the process and the legal basis” – which need to be produced for the regulator – the role of the data protection officer and the reduction in time for data access requests from 40 days to a month.
Regarding the role of the data protection officer, Findlay said: “If you’re a public sector organisation, this is going to be mandatory. Increased responsibilities, this could be a full time job.
“I think the interesting part about this is that the person will have to report to the top level of management, but they also have to be approachable by the person in the street.
“I think that’s sort of a conflict in lots of British organisational culture, I think that’s going to be interesting how that works out.”
Findlay said the Scottish Government is treating GDPR as a project with an end date, a series of required outcomes, work streams, a budget and a finite pool of resources.
“We’re defining responsibilities clearly, we’re engaging with our senior managers early, we’ve already spoken to all of our executives, all of our senior team.
“So who’s responsible for this in your organisation? Do you know? Where does the risk lie in your organisation for data protection, for information risk management?
“Have you spoken to these people? That’s probably something that you’re going to need to do now.
She continued: “How do you audit compliance? Do you have a compliance audit process for data protection? Do you need one? We’ve spoken a bit today about information asset owners today, do you have a structure? Do they know what’s happening with this? Do they know what their responsibilities are?
A key part of the process for the Scottish Government, and one which should be for other organisations too, she said, would be undertaking an assessment of the data processing making sure you know exactly who the accountability principal is.
Following on from this, OpenText’s principal solutions consultant, Birger Tenow, continued with more practical questions for organisations to consider in terms of internal data retention policies and management.
Taking the HR system as an example, he asked: “Just during the onboarding process, there’s a lot of information. Quite private information as well. It’s interviews, it’s contracts, it’s a lot of information just only on the onboarding.
“Do you need to store that? Well, here comes the retention management, for example.
“Just to complicate things more, you do have different kinds of systems for this, you have HR solutions, you have team sites within the HR community.
“Sometimes you have your online, or some part of your onboarding being outsourced to another organisation. How do you secure that data? You’re still the owner here, they’re just a part of it all.
“And then in your ongoing employment, whether you have health records, insurance claims, salary statements.
“All of that kind of information, where does it reside? Is it secure? How long should we retain it for?”
Tenow mentioned an audit OpenText did of one Danish company where a routine search turned up quite personal data about an employee’s psychiatric assessment, which would be a data breach.
“And you will find that kind of information. Of course it’s important to assess your current structure in data processes, but you have other data as well that just suddenly pops up every here and there. So, beware of that as well.”
While documents spring to mind when thinking of data, Tenow pointed out that document management is only part of the picture, with all kinds of content, from images to invoices, and even records of the verbal consent to use data, having to be controlled and recorded.
He challenged: “So, the same question that we’ve talked about previously, make sure that you [manage] your retention policies, your access drives.
“In some cases you also need to some kind of anonymisation and, looking towards the internal operations, do we manage the information in a secure and good way?”
With regards to digital government and information requests, he suggested looking at more automisation of the process: “We talked about opening up and making sure that you have a digital government – a lot of the e-service portals are basically doing that.
“I don’t know if those requests that you were talking about, instead of having someone manually doing all that work – because I guess that you will have an increase in those requests – if there is an awful lot of requests then that will be a lot of manual labour.
“Maybe it’s better to have a portal doing this in a more automated way?
“It sounds very easy to do that but it’s not. Because you have an awful lot of systems with usually a lot of different kinds of information and it’s not 100 per cent sure that, even though it’s the same person, it could be a different kind of information.
“So, you’ve got to start sinking those different kinds of information depositories. Especially since you also need to have the consent if you would like to fix the quality of that information as well.
“How do you actually do that? That is a monster data machine that is put in there and a smart one going out to all the different kinds of data storage you have and fix that information.
“It’s not an easy task. It is do-able. So, controlling that and having some kind of data management strategy for this and sinking that data, that is something that you will need to start talking about.”
He concluded: “So, getting your arms around content, putting all the regulations and retention policies and stuff like that [in place], process and number of solutions for getting content and processes working together, this is the key to automate your processes and your case plan.”
For those who haven’t started thinking about GDPR yet, the weight of change might seem insurmountable, but as Maureen Falconer suggested, public sector organisations are like lorries, they have a large turning circle, so with just over a year to go to comply with GDPR, time is of the essence, but everyone is at least in the same boat.