GDPR: Councils underprepared, ICO report finds

Some councils are not fully prepared for strict new data protection measures coming into force early next year, according to a new report from the Information Commissioner’s Office (ICO), the watchdog responsible for enforcing the new rules.

From March 2018 the EU’s General Data Protection Regulation (GDPR) will come into force in the UK in a move designed to harmonise data privacy laws across the EU and give citizens better control over their personal data.

Any company violating the regulations will be subject to hefty penalties of either €20 million or four percent of a company’s global revenue, whichever is greater.

Despite it being crucial for public sector organisations to prepare for the new regulations, the ICO has found that many authorities are lacking the key practices that the legislation lays out.

A third haven’t conducted privacy impact assessments, 25 per cent do not have a data protection officer and 15 per cent do not offer data protection training for employees who handle personal data.

"Although there is good practice out there, with GDPR coming in May 2018, many councils have work to do," said Anulka Clarke, head of good practice at the ICO.

The ICO’s survey also found that while 93 per cent of councils have a data protection and information security policy, 37 per cent lack a data sharing policy.

"In the wake of an information security incident, swift reporting, containment and recovery of the situation is vital. Every effort should be taken to minimise the potential impact on affected individuals. As such, it's a good idea to have a proper incident management process," Clarke added.