The closer we get to 25 May, the more emails I receive reminding me that the General Data Protection Regulation (GDPR) is coming soon. Some of these give the sense that the changes to our data protection laws will be apocalyptic and many of them don’t actually seem to have understood the new regulations at all! This is made slightly more dramatic by the uncertainty about when the UK’s new Data Protection Bill will actually be passed into law (so we can’t be 100% certain what the requirements will be – although we do have a good idea).
At Hackney we have been reminding ourselves that the fundamental principles of data protection remain the same – we need to look after the data and privacy of our citizens and employees and we need to make sure that we are using data in ways that are consistent with our legal obligations for delivering services to the borough’s residents and businesses.
Part of the change in the law is to increase transparency – making sure you know what we are doing with your data and what your rights are. And in line with the principle of transparency we are working in the open, so that others can benefit from the investment we’re making in complying with the new law if it would be useful to them.
If you’re a business then you’re likely to find that the exact details of work you need to do to comply with the GDPR will vary depending on the type of organisation you are and the types of data you hold, this summary might provide some useful pointers for your own compliance planning.
In summary, the work we’re doing covers the following areas:
- Our training is designed for anyone – we have reviewed & refreshed our data protection and information security training. We are working with local agency, Helpful Digital, to develop an online ‘Data Awareness Training’ tool. There is a basic level for those handling data, and an intermediate level for those making decisions about data. We’ll be sharing this, so that any other organisation can use it (a community volunteer that maintains a list of other volunteers, for example).
- Information Asset Register – we’re building a register of what information we have, where it is, what controls are around it, who is accountable for it, where we got it from, who we share it with and what our lawful basis for processing it is. That will make it easier to respond to requests and ensure we’re complying with the law. We have been fortunate that the Local Government Association has made a ‘Record of Processing Activity’ tool available through their LG Inform Plus subscription service which we are using to help us build our register. This details all local government activities with the recommended lawful basis for processing and the underpinning legislation that relates to the power or duty (where it’s indicated that data is processed due to a legal obligation or public task).
- Policies – we have refreshed our policies that relate to information management and security. Just as we are sharing products we are creating, we are also using good work of other organisations where permitted. In this case we based our new policies on those of other councils, saving Hackney time and money. These updated policies are clear and concise, and will have supporting technical standards and guidance.
- Retention & disposal – existing data protection law already requires that we only keep data for the time that we need it for the purpose it was collected for. This doesn’t change with the new law, but we do need to tell individuals how long it will be kept for when we collect it from them. We have also been hard at work reviewing our older data archives and have made some policy decisions about email, have been reviewing the paper records that we store and plan to dispose of historic data that is no longer needed over the coming year. As part of this review work, we’ve been working with our colleagues in the Hackney Archives to make sure that any important archive records are retained for future use.
- Privacy notices – the new law extends individuals’ right to be informed, and we are now required to provide a large amount of additional information when we ask for data explaining why we need it and how it will be used and stored. We are following the guidance from the Information Commissioner’s Office to take a ‘layered’ approach. This means that we will provide be a short summary paragraph in Plain English at the time that we ask for the data (eg when someone completes a form) and this will point to a more detailed notice on the Hackney Council website, with additional detail for each service. We will be sharing these in an online document, licensed under Open Government Licence, so that they can be reused by others, free of charge.
- Identity Management – we have been exploring how we can minimise the number of times that we ask for ID documents from residents across multiple services through using technology that can simplify managing identity. This would not only save us money by avoiding the need to repeat steps across different services but would also make it easier for citizens to access services without having to prove who they are every time that they use a new service. We’re working together with the Government Digital Service and Tower Hamlets to see if there is potential to use the GOV.UK Verify service to achieve this.
Different organisations will need to take different steps, depending on what data they have and how they have managed it previously. We hope that by sharing details of the work we’re doing, by working in partnership with others and making our work open it will help you understand what the GDPR involves and help other organisations with their own preparations.
If you run a business or other organisation / group that processes personal data then we’d recommend you take a look at the information that the Information Commissioner’s Office have provided online https://ico.org.uk/for-organisations/business/. You can also contact their helpline which is able to offer advice if needed: https://ico.org.uk/global/contact-us/helpline/. You may also find this cyber security guidance from the National Cyber Security Centre useful https://www.ncsc.gov.uk/smallbusiness.