Turning GDPR from a headache into an opportunity: A guide

This is a guest blog post. Views expressed in this post are original thoughts posted by Jos Creese, CEO at Creese Consulting Limited. Note that the views expressed in this guest blog do not necessarily reflect the views and policies of Veritas Technologies LLC.

So now we know. The EU General Data Protection Regulation (GDPR), which comes into force in May 2018, will apply to the UK. Most of us knew this anyway, since Brexit was not going to happen soon enough to make us exempt, and the Information Commissioner’s Office (ICO) had given strong indications of support.  For those who have been prevaricating, or hoping GDPR will just not happen, now is the time to catch up with the leaders.

GDPR has much in common with the current UK Data Protection Act (DPA), but it goes much further in increasing individual’s rights on personal data. This includes finding out what organisations hold about us, having errors corrected, or data erased (the right to be forgotten). GDPR also has more stringent rules about how quickly organisations must report data breaches, and ensuring that data is suitably anonymised when necessary.

Women viewing an x-ray image on a tabletWomen viewing an x-ray image on a tablet

This is particularly important for public bodies such as councils, who hold some very personal data about us in child protection registers, social care records, ‘births, deaths and marriages’, and in council tax and benefits claimants’ details. But it also matters to the public sector in general, because a lack of trust in how personal data is handled will undermine trust in digital government more generally.

Digital transformation in the public sector is partly about automation and self-service, but it is also about making much more productive use of information. For example, taking better-informed decisions, increasing productivity of front-line staff who can access data on the move, and in making data connections that allow safer interventions in areas like care services – more timely and appropriate.

These are all good ambitions, but the public must trust that councils are acting in their interests and holding and using personal data appropriately. Where that trust is lost, digital programmes, such as Care.Data, will fail. So, investing appropriately in improved information governance (IG) will pay off for councils, by enabling services to be improved whilst also being delivered more efficiently, flexibly and in partnership with others. It will also avoid the risks, reputational damage and potential fines from non-GDPR compliance and data breaches.

How much good practice is in place already will determine just how much investment a council needs to make to secure GDPR compliance. Weak IG practice and immaturity of understanding of data handling and use will almost certainly require a major programme of change – but one that is probably well-overdue.

Good information management also helps to ensure democratic accountability and transparency, as well as giving citizens easier access to joined-up digital services which they can use with confidence, security and privacy – indeed, it is mostly the fear over data access, control, security, location and management that explains low cloud adoption in councils.

Poor information practice also carries a variety of risks for all organisations, from data misuse, reputational damage, or risks to vulnerable people using services. Addressing the challenge of GDPR should be a way of sharpening information practices in councils, making it a ‘business opportunity’, rather than just another government regulatory overhead.

To help councils to prepare for GDPR in all its aspects, Veritas has scheduled a CIO Digital Debate on The New Data Privacy Revolution. Why not sign up to watch the debate?