Implementing the GDPR in the NICS
John Morgan Head of the Information Management and Data Services Team in the Department of Finance, the lead department for implementing the GDPR in the Northern Ireland Civil Service, discusses action being taken to prepare for the regulation.
As the lead department spearheading to data protection, the Department of Finance (DoF) is responsible for driving GDPR compliance in the Northern Ireland Civil Service (NICS).
Each department, as separate public entities, will be responsible for implementation in their own area, however, the DoF has overarching responsibility for leading moves towards full GDPR compliance.
Morgan explains that while the Department has been working towards the GDPR implementation for four years, the past two years have seen a very concentrated effort in ensuring full GDPR compliance will be achieved by 25 May 2018.
The DoF is working to guidance issued from the Information Commissioner’s Office (ICO), a ‘living document’ that incorporates guidance produced by the EU’s Article 29 Working Party. The document outlines key actions for organisations to initiate in order to get prepared for GDPR.
Morgan highlights that an important initial step was the creation of sub-groups to analyse each element of the guidance, assess how it was going to affect current policies and procedures and map out an approach.
The eight sub-groups include: information asset register; contracts; privacy notices; data protection officers; GDPR IT sub-group; consent sub-group; awareness sub-group; and data breach management plan (NICS). Each group, made up of the nine departments, PRONI, PPS and Enterprise Shared Services, has a terms of reference and time-bound objectives.
Each sub group reports to the Information Management Council (IMC), which subsequently reports to the Information Governance and Innovation Board (IGIB). As chair of the IGIB, DoF Permanent Secretary, Hugh Widdis then reports to the Permanent Secretaries Group.
Morgan outlines that while preparation for GDPR has been challenging, the NICS had a solid platform from which to build. The GDPR will replace the existing 1998 Data Protection Act, under which the NICS received just one fine from the ICO.
“The NICS is in a good place considering the processes and procedures that we have in place to comply with the 1998 Act,” he explains. “All the departments have data protection policies in place, they have awareness training in place and they adhere to the data sharing regulations.”
Morgan, who has been engaging and informing a wide variety of staff from across the NICS, says that while compliance to the 1998 Act has provided a solid foundation on which to build, there is still work to be done to meet GDPR standards.
“What I have been impressing on the departments and the senior managers of those departments is that GDPR is bringing with it two major changes. The first is accountability and the second is improved people’s rights to a person’s data. Accountability now means proof. Proving that you are compliant. Whereas before we may have had policies and procedures around a particular element of data protection, we’re now going to have to prove that people have seen it, prove that people are utilising it and prove that privacy is by design. It’s a major change in emphasis.
“People’s rights have also changed. GDPR offers enhanced rights to the individual including clear indication of why a person’s data is being taken and for what reason it is being held. Governed by the Public Records Act, the NICS already operate a retention and disposal policy but there is a need to be even tighter. The culture of the departments will have to change so that data protection becomes a non-functional requirement.
“Each department has embraced it to the extent that they all have implementation plans and the department boards all have it on their risk registers.”
Morgan highlights that probably the most significant change under GDPR is the necessary appointment of a data protection officer (DPO). His team advised for a DPO to be appointed for each of the departments. Morgan says that the Information Management and Data Services Team are aware of the necessary skills set required for such a role.
In early 2018 the NICS will designate a total of nine DPOs from within their staff ranks, some through internal trawl and others through role re-adjustment.
In terms of how compliant the NICS will be on 25 May 2018, Morgan says: “We asked the ICO how compliant we had to be by the date of implementation and he replied ‘compliant’. So that’s what we will be.”
“The culture of the departments will have to change so that data protection becomes a non-functional requirement.”
The GDPR will also bring into force the mandatory reporting of security breaches, which are deemed to be harmful, to the ICO. It is widely recognised that this definition is open to interpretation and even, that any increase on data breach reporting would need to be met by an increase in resources for the ICO in order to deal with the increased demand. Last year the NICS reported no breaches to the ICO.
Morgan says: “We have to be very clear across the NICS as to what a reportable breach is, but also, if we are not reporting a breach, why not?”
The consequence of non-compliance under GDPR is a significant fine, however, as Morgan explains the impact would be wider felt. “The first warning to give is don’t get fined. The fines are significant, however, there is also the added time in will take to mend a non-compliance. A medium-to-serious breach could take over and above a year to resolve and that’s a significant amount of resource that the departments cannot afford.”
Concluding, Morgan believes that Brexit will have no initial impact on GDPR: “GDPR has to be in place by May 2018 and Brexit, in whatever form, will happen beyond that. EU countries will not do business with the NICS unless we are GDPR compliant and the UK in general is aware of this, with the current Data Protection Bill going through Parliament, which incorporates GDPR.
“However, where we will see some challenges is post-Brexit in relation to the status of information shared within the EU. This will have to be covered in the negotiations.”