New research by M-Files Corporation, one of the UK’s leading information management companies has revealed that the vast majority of local authorities in the United Kingdom are not yet able to comply with the “right to be forgotten” requirements of the forthcoming European Union General Data Protection Regulations. This is despite the new regulations being less than 12 months from being introduced in May 2018.
The study by M-Files was done by utilising Freedom of Information Act, sending requests to 44 local authorities and 32 London boroughs that had a series of questions regarding GDPR readiness. The results indicate that 69% of local authorities are not able to effectively erase information that is personally unidentifiable, something that is critical under the new regulations.
Julian Cook, Vice President of UK Business at M-Files, suggests that the public sector needs to become more proactive when it comes to tackling personal privacy issues, which sit within the wider arc of compliance within GDPR.
“The right-to-be-forgotten is arguably one of the most challenging aspects of GDPR, which places the onus on organisations to introduce smarter measures around data protection and controls, including how the Personally Identifiable Information (PII) of EU citizens is collected, stored and shared. This is particularly true for the public sector, where this data is commonly trapped within information siloes and duplicated across different systems and repositories. The net result is that public sector organisations often don’t have a full picture of the data on their systems, so completely erasing personal data becomes infinitely more challenging.
“The essence of GDPR is to ensure that explicit policies and procedures for handling personal information are in place, but with less than a year before the go live date of 25th May 2018, the findings present a fairly concerning picture as to how prepared councils are. Because of this the door is open for technology to play a significant role in automating and simplifying many of these processes.”
The issue should be particularly worrying for local authorities and other public sector organisations that are yet to be able to comply with the new General Data Protection Regulations. This is because the fines that can be levied under GDPR are much more significant than those that can be issued currently in the UK. At the moment, the ICO (Information Commissioner’s Office) can issue fines of up to £500,000 for organizations that contravene data protection laws. However, once GDPR comes into force on 25 May, 2018, there will be a two-tiered sanction regime. This will see lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or 2 per cent of an organisation’s global turnover (whichever is greater). The most serious violations could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater).