19.04.18
How do new regulations affect information sharing?
Source: PSE April/May 2018
The incoming General Data Protection Regulation (GDPR) will significantly change the way organisations share information in a wholly positive way, writes Damion Nickerson, engagement manager at the Centre of Excellence for Information Sharing (CEIS).
When the clock struck midnight on 31 December 2017, the world sat down and took stock of another 12 months passed. For those of us looking forward, rather than back, there were a few things which were guaranteed to happen in 2018: a royal wedding, the Winter Olympics in PyeongChang, Murray mania sweeping the nation sometime in June, and the introduction of the General Data Protection Regulation (GDPR) on 25 May.
Arguably, for those not in the know, the first three events could be perceived as being of greater significance than the introduction of a new piece of legislation about how personal data is processed. However, for any public or private sector company, the incoming changes of the GDPR are a major event, which (if they haven’t already) needs to be prepared for.
We currently use data and information in line with the current Data Protection Act 1998 (DPA), which has been around for the last 20 years and has a familiar feeling about it – which isn’t to say people find it easy to navigate. Most are all well-schooled about its rules and regulations, which are engrained within the way most private and public sector companies work. So, with the DPA being replaced by the new Data Protection and Digital Economy bills, which will in effect implement the GDPR, will this change affect the way information is shared?
Working at the CEIS, the aforementioned question is one we have been asked regularly from across the public sector. At the centre, we approach this from a different angle: our focus isn’t on the technical side of information sharing, but on a cultural one. And my answer to the question about whether GDPR will change the way information is shared is, of course it will – but in a positive way.
Evolution, not revolution
Organisations which already have good practice in place around their use of information won’t need to implement significant change to be GDPR-compliant, but may need to tighten up their processes in areas such as personal data, accountability principles and individual rights. And for those organisations which don’t fall into this category, it gives them the opportunity to improve the way they do things moving forward to make sure they are working in line with the new regulations.
Irrespective of which camp your organisation or department currently sits in, the necessity to work closer with the partners you share information with will be the same. The numerous changes from the DPA that the new legislation brings, be it around what counts as personal data or changes to the accountability principles, underpins the reliance on better working relationships.
A cultural shift
At the centre, we think that organisations need to make a cultural decision to change their thinking. The GDPR gives them the opportunity to consider more broadly, not just the technical, but also what kind of information-sharing culture they would like to create. It needs to fall in line with the legislation and ensure that the technical, the mechanical and the cultural work in a cohesive and informed way.
Working like this really puts the focus back on to people; the people that work within the organisations, the people they work with, and, most importantly, the people that they support with services. This cultural shift in thinking in a lot of organisations will be revolutionary. At CEIS, we see the radical change in thinking affecting service design, professional development, partnership working, the vision and leadership that’s needed to progress the conversations, and how you engage partners to communicate what you are doing.
Opening opportunities
The introduction and implementation of the GDPR opens opportunities for organisations, departments and just about all services to do something a little different. It creates time and space to raise awareness around sharing information and an impetus to allow organisations to consider what data they hold, what consent they have, what they do with the data, and whether they even need it. In short, it creates a chance to reconnect with the people they serve.
The need to be able to prove the level of consent to use data under GDPR gives the perfect reason to reconnect with the public. It opens the opportunity to discuss data and start a conversation about how information isn’t just fundamental to the way public services are designed, but to the way they can be improved.
This opportunity to engage more with the public on the use of data would benefit from support by senior leaders and decision-makers. It needs to be embedded into everyday practice and not just a one-off, knee-jerk reaction to the GDPR – creating a cultural shift to the use of data which will benefit the way information is shared.
The elephant in the room about the new legislation is the increase in possible fines compared to the DPA. The fear this threat carries can, in some cases, stifle the way information is shared. It’s imperative that organisations are supported to feel confident to work within the new legislation and see it as an opportunity for better use of information, not a reason to stop sharing it. Elizabeth Denham, UK information commissioner, wrote in a recent blog about GDPR: “While fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective.” There is a wealth of support available to get GDPR-ready, so there’s no need to worry.
Mood shift
As the preparation for GDPR moves into its final months, the mood seems to be shifting from one of trepidation to one of opportunity. The potential benefits of improving our use of data and information are starting to be understood. Thinking culturally about these changes will support and empower better conversations, better relationships, more stringent accountability and better outcomes for public services and the individuals who engage with those services.
FOR MORE INFORMATION
W: www.informationsharing.org.uk/GDPR