GDPR: Are you doing enough to prepare?
The imminent arrival of GDPR is forcing organisations across the UK to quickly get to grips with what, where and how they are using personal data. And the public sector is no exception. NHS trusts, social housing bodies, education establishments and government departments are littered with personal data.
How are they getting themselves ready to avoid costly fines and damaging their customers’ trust?
The answer is: they are not.
Driven by rapid advances in technology and the greater availability of data, the digital revolution continues to challenge the way public sector organisations think and operate, especially the NHS.
NHS Digital has released a programme of communication, which outlines 12 subject matters on GDPR guidance. It is targeted at “those with senior responsibility for Information Governance […]. This includes Caldicott Guardians, operational IG leads and managers, plus all employees.”
They claim that “the information will help organisations to make the changes needed due to the EU General Data Protection Regulation, which will happen regardless of Brexit.”
Speaking with a number of leaders across health and social housing landscape, it’s clear that other business demands are taking priority and some are not set to cope with increased accountability, workload or potential fines for data non-compliance.
According to this year’s Interim Partners report, priority areas for NHS improvements should include performance management (50%), better use of data & technology (49%) and driving efficiencies (45%). There is a sentiment that businesses are largely unprepared for the impending changes:
“Get GDPR sorted first. Proposition and capability development for export second. IT security third. Be bold.” - Survey respondent
So what needs to happen?
Awareness, planning and accountability need to be at the top of the agenda for all public sector organisations over the coming months.
Do you know what GDPR means for your organisation? Who is accountable for planning the compliance programme? Is your current operating model fit for purpose?
Technology could be seen as an accelerator for a GDPR initiative, but it’s only part of the solution. Public sector bodies will need expertise and guidance to review current governance and devise the appropriate strategy. External resource is likely to be the missing link needed to ensure planning is accurate and to safeguard them against potential fines. Ultimately, public sector organisations may need to re-engineer their entire operational structure to accommodate GDPR requirements.
May 2018 is fast approaching. With tight timescales and limited guidance, public sector leaders need to take a pragmatic approach to GDPR. Over recent months Interim Partners has worked with a number of forward thinking organisations on their GDPR strategy. Many of those are establishing or adjusting governance arrangements to comply with GDPR, a designated lead appointment and/or a full review of governance arrangements being the most common first steps.
Organisations who are ahead of the curve can be confident they are respecting the law and data subjects’ rights, mitigating risk appropriately and have a defence in the event of a breach.
I would be interested to hear what’s happening in your organisation, and if in fact your business is GDPR ready?
If you would like to discuss how we could assist your business, get in touch with Claire Carter on 0207 842 5888 or email her at firstname.lastname@example.org.
Claire Carter is Director of the Public Sector.