‘Concerning’ shortcomings include the lack of mandatory data protection training at many local authorities, the ICO said
The Information Commissioner’s Office (ICO) has found “concerning” shortcomings in local councils’ work on data protection ahead of the implementation of the strict General Data Protection Regulation (GDPR) next year.
The findings of a survey conducted late last year, and published this week, show councils have work to do before the new rules come into force in the UK on 25 May 2018, the ICO said.
Lack of data protection training
The study found 34 percent of councils don’t carry out privacy impact assessments (PIAs).
Since the GDPR requires that they do so in certain circumstances, councils would be best to produce their own PIA process and accompanying guidance to ensure privacy issues are considered as part of projects.
The ICO found 37 percent of councils have no data sharing policy, while one-quarter don’t have a data protection officer. The upcoming regulations increase data sharing requirements to provide certain services, and require the role of data protection officer in public authorities.
“It was good to see that 93 percent of councils have a data protection and information security policy,” said audit group manager Anulka Clarke.
She said the ICO found it “concerning” that 18 percent of councils don’t have mandatory data protection training for staff, given that many of the information security incidents her office deals with are caused by staff not knowing what they need to do about data protection.
Overall, the findings show that “many councils have work to do”, Clarke said.
Fines to increase
The GDPR is to replace the Data Protection Act (DPA) 1998, and the government has confirmed the referendum to leave the EU will not affect the regulations’ implementation in the UK.
The new rules will, amongst other things, vastly increase the power of European data protection authorities to impose fines, with organisations facing penalties of up to 20 million euros, or 4 percent of their annual worldwide turnover, whichever is greater.
By contrast, the ICO can currently impose fines of up to only £500,000.
The Payment Card Industry Security Standards Council (PCI SSC) recently estimated fines paid to the European data protection regulator could rise from £1.4bn in 2015 to £122bn in 2018, a nearly 90-fold increase, based on breaches continuing at the same level.
Large organisations could face a total of £70bn in fines, or £11m on average, with smaller businesses seeing a 60-fold increase to £52bn, or £13,000 per fine on average, the PCI SSC estimated.
The ICO also said this week it fined Norfolk County Council £60,000 after social work case files were found in a cabinet purchased by a member of the public from a second-hand shop.
“Norfolk County Council appears to have overlooked the need to ensure it had robust measures in place to protect this information,” said ICO head of enforcement Steve Eckersley in a statement. “It should have had a written procedure in place which made it clear that any storage items removed from the office which may have contained personal were thoroughly checked before disposal.”
Do you know all about security in 2017? Try our quiz!