More than five years after the General Data Protection Regulation (GDPR) was first proposed by the European Commission, it is now very much on our doorstep. But despite the long lead time and formal notice period, many organisations remain woefully unprepared for the new data protection regime and are only now facing up to what the GDPR will mean for them. Nowhere is this more true than in the UK public sector, which has a lot of work on its hands if it is to be GDPR-ready by the time the regulation is formally introduced on 25 May 2018.
At its core, GDPR is being introduced to strengthen rights and freedoms of EU citizens as it relates to their personally identifiable information (PII). Consent for organisations to use personal data will have to be freely given by that person, and organisations need to ensure records are maintained to demonstrate that they are able to use that data.
Moreover, citizens will have new powers over their information, such as the ability to request that their data be removed from an organisation's systems (the “right to be forgotten”), and to find out what data is being held about them. Compliance will not come easily for many organisations, particularly in the public sector, where this data is commonly trapped in information siloes and duplicated across different systems and repositories. For organisations to ensure compliance with the new rules, they need to have the processes and technology in place to make it happen.
Fail to prepare, prepare to fail
Despite this impending reality, local authorities across the country appear to still be struggling to put the right procedures in place in order to be adequately prepared. A Freedom of Information (FOI) request recently conducted on behalf of M-Files found that an overwhelming majority of UK boroughs are well behind in terms of their planning and preparation for GDPR.
FOI requests were sent to all 32 London boroughs and 44 other local authorities distributed evenly throughout the UK, asking a series of questions regarding GDPR readiness. 82 per cent of local authorities had not yet allocated budget for implementing provisions to meet GDPR requirements, and 56 per cent had not yet appointed a Data Protection Officer. In addition, seven in 10 (69 percent) could not effectively erase personally identifiable information (PII) from their systems – a critical requirement of the new regulation.
But what issues should stretched local authorities tackle first as they look to accelerate their GDPR preparation? One area that should be raised to the top of the agenda is that of information management, and working to eliminate the challenges that staff encounter when it comes to finding and accessing data and content. By taking steps to address this content chaos, local authorities stand the best possible chance of securing their data and steering clear of any GDPR-related sanctions.
The first step is mapping where PII resides across your organisation. The key before you start looking at GDPR in any way is to understand where this data is, who has access, who it is shared with, and ultimately, how you can best manage it according to GDPR requirements.
Unfortunately, this is something that many public sector organisations are very much in the dark on. In a separate research project conducted by M-Files earlier this year, 67 percent of public sector respondents stated that they find locating information on office systems a challenge. Moreover, 71 percent said they have had to recreate documents that already existed because they were unable to find them.
These figures point to public sector organisations being in the midst of content chaos: lacking the capabilities to effectively organise all of this information and wasting time and money as a result. To tackle this problem, the public sector needs to get smarter about how it manages data, placing a much greater emphasis on establishing a thorough, consistent approach to information management.
Making sense of personally identifiable information
The rules of GDPR are non-negotiable, so it is vital that local authorities make a concerted effort over the coming months to make the necessary preparations for its introduction.
The challenge remains that many legacy approaches to managing information and personal data aren't flexible or dynamic enough to deal with GDPR. In the event of an audit, organisations will need quick and easy access to this information, which can be hard to achieve when information is lost in hierarchical network file folders, or worse yet, in paper files.
Intelligent information management systems can make identifying and managing PII significantly more straightforward. By organising information according to what it is rather than where it's stored, local authorities can break free from folder-based systems and enable employees to find and manage information in an easier and faster manner.
Importantly, these solutions can fit seamlessly with existing systems and processes. For the increasingly cash-strapped public sector, this integration is hugely beneficial, enabling organisations to continue leveraging their existing legacy systems while adding the powerful information management functionality needed to protect and control the PII they hold, and thus adhere to GDPR requirements.
Implementing the right solutions and processes will enable local authorities to not only gain much greater control over the PII they collect and store, but also to prove to auditors that they are following the regulation's requirements.
Contributed by Julian Cook, VP of UK Business at M-Files
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.