Background
 
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 in the UK and will replace the current Data Protection Act 1998 (DPA).

As well as commercial organisations, GDPR will apply to all public sector bodies in the UK, from local authorities to parish councils. Police forces, central and local government, the NHS, military and fire service will all be affected. It will also apply to all organisations that public sector bodies work with, such as bodies owned by a local authority or a Local Enterprise Partnership.

How does GDPR differ from current legislation?

Although GDPR is based on the same basic principles as the UK’s current data protection legislation, the new framework will bring in some significant changes given it provides a more comprehensive system for the governance of the information that organisations hold about people - from the point of data collection to its final deletion. GDPR also requires organisations to have a governance system in place to demonstrate their compliance and to show the regulator – the Information Commissioner’s Office – that they are taking their data protection obligations seriously. This means that, if there is a data breach, for example a security failure, it would be a mitigating factor if your organisation could demonstrate that it has the right policies and procedures in place. This would make the imposition of a large fine far less likely. 

Any organisation, including public sector bodies, that fail to comply with the new legislation could be subject to far larger fines than under the DPA (which has a maximum penalty of £500,000).

So what do public sector organisations need to do to prepare for GDPR?

All public sector organisations should be checking what information they hold about people and making sure it is accurate and of good enough quality to provide the public with the services they are entitled to. They should also be checking whether records are still needed, as GDPR requires that all records that are no longer necessary must be deleted. This is part of the records management process that all organisations are required to have in place. 

With less than a month to go until GDPR comes into force, Grant Thornton wants to understand how well prepared the NHS and other public sector bodies are for the new regulation. We have prepared a brief survey to help organisations think about the main compliance issues they will face when GDPR comes into force.
 
"Grant Thornton” refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton UK LLP is a member firm of Grant Thornton International Ltd (GTIL). GTIL and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions.

Question Title

* 1. How well prepared do you think your organisation is for the GDPR, which comes into force on 25 May?

Question Title

* 2. Those responsible for the governance of personal information within your organisation are fully aware of their responsibilities under GDPR, and are taking action accordingly

Question Title

* 3. The data protection principles are understood and complied with in all the parts of your organisation that process personal data – including your outsource providers

Question Title

* 4. Data risk management has been fully integrated into your organisation’s overall risk management structure

Question Title

* 5. Your organisation’s publically visible privacy notices have been updated in line with the requirements of GDPR

Question Title

* 6. Your organisation has already updated its contracts with external suppliers to ensure they reflect the requirements of GDPR

Question Title

* 7. Your organisation has a data protection officer in place

Question Title

* 8. There has already been a FIT/GAP analysis carried out at your organisation to assess the adequacy of its controls around data protection

Question Title

* 9. Your organisation’s information security arrangements are strong enough

Question Title

* 10. You believe that you understand GDPR well enough to comply with it in your day to day activities

Question Title

* 11. Do you have any further comments on compliance with GDPR?

Question Title

* 12. If you would like Grant Thornton to contact you regarding data protection at your organisation and compliance with GDPR please provide the below details.

Please note your responses and comments above will remain anonymous and will not be attributable to you or your organisation in the results of this benchmarking survey.

By completing the below you agree that Grant Thornton can contact you about GDPR. We will not use your personal information for any other purpose than stated above. If you require further information, please read our privacy policy. 



 

T