Most councils unable to meet the right-to-be-forgotten GDPR requirements

Research conducted by M-Files Corporation, the intelligent information management company, reveals that the vast majority of local authorities in the UK are not yet able to comply with the “right-to-be-forgotten” stipulations of the General Data Protection Regulation (GDPR).

As part of a Freedom of Information (FOI) request, M-Files sent requests to all 32 London boroughs and 44 other local authorities distributed evenly throughout the UK asking a series of questions regarding GDPR readiness. The results reveal that almost seven in 10 (69%) local authorities are not able to effectively erase personally identifiable information (PII) from their systems – a critical requirement of the new regulation.

Julian Cook, Vice President of UK Business at M-Files, suggests that the public sector needs to become more proactive when it comes to tackling personal privacy issues, which sit within the wider arc of compliance within GDPR.

“The right-to-be-forgotten is arguably one of the most challenging aspects of GDPR, which places the onus on organisations to introduce smarter measures around data protection and controls, including how the Personally Identifiable Information (PII) of EU citizens is collected, stored and shared. This is particularly true for the public sector, where this data is commonly trapped within information siloes and duplicated across different systems and repositories. The net result is that public sector organisations often don’t have a full picture of the data on their systems, so completely erasing personal data becomes infinitely more challenging.

“Radical changes to how public sector organisations manage their information will be required if they are to be compliant when the regulation comes into force.”


Key focus

To assist boroughs in preparing for GDPR, Cook believes that a key focus should be on implementing technology solutions that streamline the management of personal data, and are compliant in key facets of the regulation, including the right-to-be-forgotten.

“The essence of GDPR is to ensure that explicit policies and procedures for handling personal information are in place, but with less than a year before the go live date of 25th May 2018, the findings present a fairly concerning picture as to how prepared councils are. Because of this the door is open for technology to play a significant role in automating and simplifying many of these processes.

“In the case of the public sector, the need to control and protect information is an ever-present challenge, and one that is often hindered by risks surrounding data duplication and lost information – issues that are time-consuming, difficult and costly to address.

“Intelligent information management systems, which make finding and cleansing data from systems and repositories significantly more straightforward, can make a big difference here. Importantly, these solutions can fit seamlessly with existing systems and processes. For the increasingly cash-strapped public sector, this integration is hugely beneficial, enabling organisations to continue leveraging their existing legacy systems while adding the powerful information management functionality needed to protect and remove personal information and adhere to GDPR requirements.”

Related reading