Act now to evolve data security mindset and culture (Guest post)

Simon Merrick, principal digital transformation consultant at Agilisys, discusses why new data protection laws mean councils need to reset or refresh their mindset about data privacy if they are to avoid potential internal conflict.

The recent announcement that the government will sign the European privacy rules set out in the General Data Protection Regulation (GDPR) into British Law and update the existing Data Protection Act should not be a surprise. In fact, it takes away some confusion about whether Brexit will mean that the GDPR won’t apply. It will – and from May 2018. That’s less than a year away and local authorities, in fact all organisations, really need to act now on their data privacy and security.

For most authorities, this means resetting or at least refreshing the organisation’s mindset about data privacy through education and cultural reinforcement underpinned by clear employee responsibilities, roles and rules. Not thinking about this mindset, ushers in the potential of conflict between employees in different departments and between managers as the new laws start to bite.

The role of the Data Protection Officer (DPO) is a good example of the need to refresh this mindset. Up until now, local authority employees all too often didn’t know who their DPO was. Yet, suddenly, thanks to next May’s arrival of GDPR and the recent government announcement about new data protection laws, the role will become the very public centre of an authority’s attitude to data privacy. If the growing profile of the role isn’t challenging the status quo within an organisation, then it is probably not challenging the organisation’s privacy approach enough. The opportunity here is to use this challenge to drive transformation change, rather than let it descend into ineffective compliance or worse open conflict. The DPO will be held up in a privileged and protected position, they will need to advise, even step on the toes of people like the head of IT, the Directors and Risk managers. They will need to influence, to negotiate and persuade. The organisation needs a broad and very well-rounded player to be effective in this role.

As we get ever closer to the May 2018 deadline and time runs out, one can imagine organisational emotions running high to be compliant. Unfortunately, data breaches are an inevitability and no organisation will want to be the first to be made an example of by the Information Commissioners Office under GDPR.


Practical steps

So, what can authorities do to avoid this conflict? In my opinion, it’s all about shifting culture and understanding to speed up and focus the decision-making. The time has already run out for long drawn out business cases to make the changes required, investment to shore up or remove vulnerable systems and processes is needed this financial year. The ICO will argue that all organisations have had two years to prepare since GDPR was first enacted, so using the fact that the design and approval process caused the compliance delay won’t hold much water. Ideally, the trio of the CISO, CIO and DPO should be able to nail a transformative GDPR compliance programme because they have enough vision to understand and steer the organisation and enough power to influence. And it most definitely is a case of influencing people.

Communication needs to filter down and explain how the regulations impact the organisation and the impacts will be different for each organisation. This change is inevitable, the technology and data privacy landscape in which the Council finds itself has changed. Everybody involved with personal data needs to realise that they are only the caretakers of citizen data – they don’t own it – so need to treat it as such.

Local authorities also need to be smarter. Why not talk to neighbours to see if they have the expertise – plus the willingness and time, of course – to share? Should you outsource or share your data protection officer and let somebody, whose job it is to be the expert and who knows your industry, guide your organisation? Weak or ineffective DPOs won’t cut the mustard and won’t be able to hide from the ICO when they come knocking to deliver an audit. Your investment and support for the DPO and their supporting team will be evidence of your commitment to data privacy.  Strong DPOs will be increasingly in short supply and therefore will command high salaries.

Whatever route is chosen, it’s also worth remembering that data privacy and compliance with GDPR isn’t a short-term obligation. Yes, a data audit is important right now, but that’s just a snap-shot. Authorities shouldn’t fall into the trap of treating it as such. Some form of DPO will be needed on an ongoing basis. Data needs to be protected from human error, hacking, disruption by disgruntled or former employees and wider ‘world’ hacks such as the WannaCry ransomware. Investing in compliance of GDPR is a set of decisions based on an understanding of risk and that needs to be documented.

Ongoing management and investment will be needed and this is where the mindset/culture shift comes into play once again. You may want to invest in technical platforms or organisational changes to enforce or monitor privacy policies and processes. But, it will be a well-informed mindset of data privacy and security that will more quickly identify the vulnerabilities and help focus those investment decisions.

The fly in all of this of course is that, as with all regulations, there are aspects that are black and white, no question you need to comply, and there are aspects of the requirements that are open to interpretation. No doubt, interpretations of the GDPR and the Data Protection Bill will be challenged through the courts. Authorities would do well to review their information security management systems they have in place, such as ISO27001, as these will help enforce the right mindset and provide a sound basis for a privacy information management framework.

When it comes to GDPR, there is a great deal for local authorities to decide how to comply and where to invest, and the clock is ticking – the May GDPR deadline date is fast approaching – so now is the time to bring this to the top table and avoid conflict.

Related reading