Significant fines for non-compliance mean investment towards GDPR is essential, but more can be done to ease the strain. Contributor Tim Waterton, Senior Director of UK Business – M-Files.

Local authorities concerned about their abilities to fund the changes needed to support GDPR, should not be deterred and instead capitalise on simple and affordable steps, which demonstrate that reasonable measures are being taken to become compliant. This is according to Tim Waterton, Senior Director of UK Business at M-Files.

Recently, the National Association of Local Councils (NALC) brought to attention the financial strains facing local authorities in becoming compliant with GDPR. Waterton stresses that while these concerns are understandable there are also simple and affordable steps that can and should be taken to demonstrate compliance:

“The GDPR is a demanding piece of legislation that many organisations, particularly those in the public sector, are struggling to get to grips with. Indeed, the Cloud Industry Forum last year found that just 10 per cent of public sector respondents were completely confident that they understood the regulation, and only 6 per cent stated that their organisation was completely prepared for it, indicating the scale of work needed to ensure compliance. The ongoing squeeze on public sector budgets won’t be helping this situation, but while some level of investment will be needed to support GDPR, this doesn’t need to be unduly expensive. It really boils down to sound data hygiene practices and there are some relatively simple and cost-effective actions that public sector organisations can take to close the compliance gap.

“Local authorities are typically responsible for a huge volume of information, with data spread across multiple systems and used in a variety of ways by many departments. By creating a centralised personal data registry or information asset registry, it allows you to understand what data exists within your systems, where it is located, who has access to it and who it is shared with.

“Once you understand what data you have in your possession, you can then see how that information links to your different systems, processes, policies and procedures. That is the starting point for the transition to GDPR compliance.

“This information asset register is a hugely valuable resource and the very act of producing it will identify gaps in your data controls that need to be closed with more process improvements and stronger staff training”

Waterton concludes: “With the deadline for GDPR looming, scaremongering is sure to shift into overdrive. In truth, few companies will be 100 per cent ready by 25th May, but even for public sector organisations currently struggling, it’s important they can demonstrate to the ICO that reasonable steps are being taken. Understanding where your data sits and how it is managed is a great starting point.

“The question we should perhaps ask is whether using that information to close a few key gaps with process improvements is likely to be viewed positively by the ICO? My guess is that it will be; alongside enhanced staff training on information management responsibilities and ensuring that everything you do is thoroughly documented. Ultimately, the GDPR should be seen more as an opportunity for renewal and improvement, and less of a compliance tax.”