The Head of Performance and Partnerships gave a presentation to provide an update on the strategic risk around the new data protection reforms - the General Data Protection Regulation (GDPR). Without a detailed and documented approach to the GDPR the Council risked non-compliance, which could result in a breach and monetary penalty, risks to individual safety and significant reputational damage.
The Councils current risk level was reducing due to the significant work carried out to date and remaining work being well progressed. The current risk level was scored at 15 and the ambition was to move to 10 or lower. This would be achieved when all mitigations were delivered and the risk managed down to acceptable levels. The maximum risk score was 35.
In order to ensure compliance with the GDPR principles, work had been carried out with senior managers across all Council services to document the required evidence. There had been significant investment in training, including Elearning and workshops, as well as business analysis, audits of data, document reviews and provision of advice.
The GDPR came into effect on 25 May 2018, two days after approval of the Data Protection Act 2018. In preparation for implementation, an internal audit had been carried out and all recommendations were addressed by the end of January 2018. A further internal audit review would be undertaken in 2018/2019.
In 2017, 48 information security incidents were reported, including 4 that were reported to the Information Commissioners Office (ICO). Breaches included data posted or emailed to the incorrect recipient, loss or theft of paperwork and verbal disclosures. To date in 2018/2019 there had been 38 similar incidents reported, including 9 that had been reported to the ICO. It was noted that breach reporting had increased due to stricter rules under GDPR but also due to better awareness and reporting.
A list of current and future mitigations was included in the report and it was highlighted that a Data Protection Assistant would be appointed in November 2018. It was also noted that the ICO expected a two year implementation plan from May 2018.
AGREED that the information provided was received and noted.