These were the words from Matt Hancock, the government minister for digital and culture, who has once again issued a warning on cyber security.
Largely directed at the private sector, the minister’s comments are a timely reminder about the forthcoming changes to the data protection regulations, accusing companies that do not pay sufficient attention to cyber security of “courting chaos and catering to criminals”.
The words chime with those recently relayed by the Information Commissioners Office (ICO), who will introduce much larger fines for data breaches alongside a stricter reporting and auditing framework once the EU's General Data Protection Regulation (GDPR) comes into force in the UK from the 25th May 2018.
Following a survey published in March 2017, the ICO found that, despite many local authorities having some key documentation and roles in place, “many councils have work to do”.
What does this mean for local government? Firstly, it means realising that this isn’t a tick box exercise to be handed down to the Information Governance team. The world has changed since the Data Protection Act. The digital revolution means that personal data is likely to be stored and spread more widely. But some things haven’t changed. People still make mistakes, especially when it comes to handling personal data. Except that today these mistakes suddenly become front page news, burdening senior managers’ diaries as they seek to contain the fall-out.
Secondly, this is an opportunity for local government. GDPR has the potential to be the catalyst that local government needs to put the lens over how they transact and engage with citizens, suppliers and partners. If they don’t, the ICO surely will.
The “work to do" is getting the organisation to realise that they need to earn the respect of their customers in terms of handling their personal data. That respect is earned by demonstrating a mastery of customer data in terms of security, control and protection. This is not an initiative to be addressed from an ivory information governance tower. It is a detailed, on the ground activity. It is an asset and data flow gathering and change exercise that requires skilled resources, executive involvement and an unswerving cultural focus in every part of an organisation that deals with customer data, no matter how small.
With ICO fines for breaching citizen trust averaging £100,000 in 2016 and a huge increase in the cyber and hacking threat landscape, CEOs and CIOs should recognise that the business case to put additional resources to work on GDPR and doing it properly will become increasingly difficult to ignore.
A sensible approach requires a planned programme of work spanning technology, customer service operations, information governance and suppliers. Any programme must be pragmatic, based on a risk profile acceptable to the organisation and one that adds value to the organisation instead of just completing documentation or filling the required Data Protection Officer post. The objective should be for the council to build a relationship based on trust with the citizen.
Protecting citizen data and using it properly with consent isn’t going to happen by re-writing a document retention strategy or changing a tick box or two. Implementing the spirit of the new GDPR means education and it means change. Not just for managers or executives, or the Information Governance team, but for everyone who supports the council in the way they interact both verbally, in writing and digitally with citizens.
The imperative here is for local government staff charged with the duty of protecting citizen data - and these days that includes just about everyone - to establish a programme of work that is aligned to the organisation’s risk profile, prepares the organisation for forthcoming legislation and one that demonstrates value to its citizens. But first, local councils should take an honest look at whether they are prepared for the GDPR workload and seek help now if the skills, bandwidth or appetite are found to be wanting.
Find out more about how Agilisys can help bring into sharp focus the safe, secure and compliant way in which local government can engage and share data with its citizens.
Tip: use commas as word separators (i.e. Agilisys, solutions, services)