Why councils must prepare now for 2018 data protection rules

Data protection

Councils should act now to prepare for the General Data Protection Regulation (GDPR) in 2018, local government CIO body Socitm has recommended.

GDPR is expected to completely overhaul how organisations deal with people's personal data when it comes into force in two years' time, and Socitm believes compliance will be difficult to achieve in some cases.

The EU legislation, when it is adopted into UK law, will replace the existing Data Protection Act, which was published back in 1998 before the invention or mass adoption of technologies like the cloud, which are now commonplace.

As a result, it will seek to give people more control over who can use their data, including the right for them to ask an organisation to delete what information it holds on them, more clarity over how their data is processed, as well as easier access to their own data.

Organisations seeking to process people's data will be required to obtain more explicit consent in order to do so, too. Tougher financial penalties will also be introduced for organisations that experience data breaches.

Socitm's head of research, Andy Hopkirk, said: "Accommodating the changes will be a matter of amending existing processes rather than inventing new ones. Some of the changes could be onerous and problematic. For example, councils will need to be able to deal correctly and completely with right to be forgotten' requests - perhaps the single greatest challenge in an almost ubiquitously networked and distributed computing world."

Its new briefing, Data protection: Control | All | Delete?, sets out some of the changes and advises how councils can update their information governance frameworks to meet the new requirements.