The European Union’s General Data Protection Regulations will come into force in May 2018. Recent surveys have shown that many organisations are yet to engage with the forthcoming legislation. Perhaps this isn’t surprising when you consider that those who perhaps should be in a position to help admit that they themselves see GDPR as a bit of an unknown at the moment. That was the admission by Maureen Falconer, Regional Manager – Scotland, Information Commissioner’s Office (ICO).
“Having come from academia, where you are very often only one lecture ahead of your students, that’s kind of how we feel in the ICO at the moment; we’re one lecture ahead of you guys in terms of telling you what to be doing for GDPR. We can certainly help with preparation, but how it’s going to look is still a bit of an unknown at this moment in time.”
Maureen Falconer was speaking at a recent Holyrood and OpenText data event that looked at the implications of GDPR for the public sector. Titled “Harnessing Your Data to Enable Change”, the event was designed to provide public sector organisations with the information and guidance needed to prepare for the forthcoming General Data Protection Regulations. Other speakers at the event came from the Scottish Government, data provider OpenText as well as the Information Commissioners Officers itself.
Brexit will not provide a get-out clause for complying with GDPR
It was highlighted at the event that many organisations have stated that they think there is no need to comply with GDPR because the UK will be leaving the European Union thanks to the recent Brexit vote. But with the new regulations coming in May 2018, before the UK will actually leave the EU, the regulations will apply to all organisations in the UK.
“We still don’t know that question as to when it’s actually going to happen, but what we do know from our perspective…whether we’re in, whether we’re out doesn’t matter, data protection is going to look like and feel like the General Data Protection Regulation, so absolutely that’s what we’re heading towards”.
The Data Protection Officer Role
Another important issue that was highlighted at the “Harnessing Your Data to Enable Change” event was the increasingly important role of the data protection officer role thanks to the forthcoming General Data Protection Regulations. Falconer commented:
“This data protection officer role for the public sector is pretty major. You’re talking about somebody that’s up at the SMT [senior management team] level or at least has input into that level, you’re talking about a lot of autonomy. You’re talking about somebody that has got to know all of the processes in the organisation and, that’s the person that we’re going to be liaising with, hopefully, as the regulator. So, yes, I think it’s kind of beyond the current IG [information governance] pay grade as it were. It needs to be up there. And that’s going to have resource implications for public authorities.”
Helen Findlay, Data Protection and Information Assets Team Leader for the Scottish Government agreed, saying that the role will almost be unique in British organisational culture:
“If you’re a public sector organisation, this is going to be mandatory. Increased responsibilities, this could be a full time job. I think the interesting part about this is that the person will have to report to the top level of management, but they also have to be approachable by the person in the street. I think that’s sort of a conflict in lots of British organisational culture, I think that’s going to be interesting how that works out.”