The Challenge

 

The new General Data Protection Regulations (GDPR) comes into force on the 26th May 2018. All councils that use personal data to deliver services to citizens will need to comply to this data protection legislation.   

 

The UK Information Commissioner has confirmed that despite the Brexit vote, the UK will be adopting the legislation and that the first piece of guidance will be published by the end of 2016. 

 

After that there will be guidance published on the concept of risk and how to carry out a data protection impact assessment in February 2017 (http://bit.ly/2gDQP9n).

 

GDPR creates stringent requirements for informed, ongoing & unambiguous consent from data subjects (i.e. individual people) before, during and after any person-related data gathering and or sharing. Commensurate with this, the penalties for GDPR compliance failures are considerable up to 4% of global turnover or €20m. 

 

Local authorities and others involved in public service delivery will need to develop new processes to first obtain and then manage, on an ongoing basis, a variety of differently informed consents from potentially 100,000s of individuals each. This could even include managing the ripple effects of a consent being withdrawn after a period of time in which personal data had been shared with others.

 

The Solution

 

The smart business solution will put the needs and wishes of individual data subjects at its heart for it is they the GDPR seeks to protect first. However, in a sense that is opposite to catering for individuality, the smart business solution will also exploit the obvious commonalities of need from an organisations point of view to provide an economic, efficient and effective solution that can be deployed across many and diverse local public service environments.  

 

In the digital era this means the solution must be an easy to use online service that engenders and assures transparency and trust for both the individual data subjects and organisations data managers. 

 

Most local authorities we have spoken with are still digesting the impact GDPR will have on their services. A common shared assessment of impact would help to implement best practice, with reduced duplication and shared costs. To do this, the establishment of a common framework to GDPR adoption - for all to share - is step one.  Local authorities know there is a need and business imperative to do so, but there is as yet progress in terms of a route to compliance.    

 

The pooling of the shared knowledge from service providers, solution architects and data experts and clarifying steps to meet the new legislation will save substantial duplication across local authorities. A resulting 'common cookbook' for the adoption of GDPR will allow lessons learnt to be disseminated

 

 

Socitm Says:

 

 

A UK government minister* recently confirmed that we will be implementing the EU General Data Protection Regulation (GDPR) in 2018.   

 

The new regulation marks a big shift in data protection regulation towards giving individuals very high degrees of control over the use of their personal data by other parties. 

 

It is a fact that local public services are ever increasingly underpinned by digital and other ICT systems that gather, store and exchange personal data. Furthermore, local public services are many and diverse and must operate at the local population level of scale. They will each need to develop entirely new processes to obtain and then manage a variety of differently informed consent life-cycles from potentially 100,000’s of individuals. 

 

This proposal is to co-develop new GDPR-compliant processes and supporting digital service tooling that can be brought to market to the benefit of the co-developers and many other local public service providers.  

 

This intention is aligned to Socitm’s recommended strategy of encouraging Simplify–Standardise–Share. 

November 2016 

 

* Secretary of State Karen Bradley MP at the Culture, Media and Sports Select Committee in October 2016

 

The Opportunity

 

The GDPR marks a material change in the legal requirements. As such it makes a new market opportunity for the supply side of the digital economy at the same time as it creates new demand-side needs to be fulfilled. There are no products or services in the market place that meet this need at the current time.  

 

In addition to a cookbook document for public sector, this proposal envisages a novel co-creation project aimed at developing and piloting a new digital service working title Consentua. Consentua is an emerging technology focused on the GDPR challenge. Designed to be an open standard, Consentua does not itself hold any personal data. It is a cloud hosted service, although very secure in its delivery.  Consentua is simply an audit tally of how personal data is used by an app/system. 

 

Consentua will fulfil the following basic requirements:  

  • Enabling the granting and managing of data subject consent for the organisational user – compliant to GDPR; 
  • Providing an audit trail of consent for both parties, data subject and organisational user; 
  • Data subjects keep control of how their data is used; 
  • A secure, cloud-hosted digital service; 
  • Does not hold any customer data itself;  
  • Independent, open standard based API. The aim is to make an open API to enable maximum (re-)use of the service; 
  • A validated set of new procedures, job roles and process’ that are required to be enabled alongside the new Consentua tool that will be devised with the help of the first set of collaborators. 

 

Led by KnowNow this collaboration will deliver: 

  • In-depth analysis to the challenges involved in delivering the data-subject consent requirements and personal data control required by the GDPR; 
  • The numbers, customer groups, pinch points and service overlaps/connections with health, housing, commercial care providers and within the council; 
  • A technical assessment of existing data services and how they can seamlessly adopt and integrate a digital GDPR solution; 
  • A cookbookfor the adoption of GDPR within local authority apps and enterprise systems; 
  • A test Consentua service tailored to UK local authority needs. 

 

We intend the GDPR assessment and cookbook to be available to all local authorities post project completion.  

 

 

 

What are we asking for?

 

  • We plan 100 days of work for the core analysis/research required; 
  • In addition, there are 3 days required per LA for the local analysis component; 
  • Approximately 25 days of effort to tailor APIs; 
  • We believe a minimum of 5 LAs (and maximum of 10) are needed to ensure all elements of GDPR impact are uncovered and addressed (a selection of unitaries, counties, districts would be welcome); 
  • Lead Data Protection and Adult Social Care (ASC) officers involvement in one-day multi-partner workshop (Adult Social Care is recognised as a key area on which GDPR will impact, and thus will be a key focus area); 
  • One day of on-site access to local ASC teams for interviews and information gathering; 
  • Access to ASC assessment processes, systems and overview of caseload statistics; 
  • Active involvement from senior ASC delivery lead via email, telephone and where necessary online groups to ensure service integration of Consentua for the LA; 
  • Active involvement from the sponsoring director (e.g.: ASC) and Chief Executive's Office so as to empower local delivery teams, as well as review ongoing progress and confirm impact meets the expectation post project completion. 

 

Finances

 

The projects proposer, KnowNow Information (www.kn-i.com), is seeking a small number of local authority partners who will contribute a share of the financial and effort resources needed to create and pilot the Consentua service in addition to the GDPR 

 

The table below provides a matrix of costs which are demonstrations of savings applicable to this engagement when resources are pooled.  

 

No of LA’s involved 

Core Costs (per LA) 

Local Costs (per LA) 

Costs per LA 

5 

£20,000 

£10,000 

£30,000 

6 

£16,666 

£10,000 

£26,666 

7 

£14,285 

£10,000 

£24,285 

8 

£12,500 

£10,000 

£22,500 

9 

£11,111 

£10,000 

£21,111 

10 

£10,000 

£10,000 

£20,000 

 

*Participants in the consultation process would be offered ‘early adopter’ status for any resulting digital solution with a reduced financial commitment. 

 

Who are KnowNow?

 

The Consentua team have worked with local authorities on data requirements for more than 15 years, including academic expertise in data privacy and informed consent.  By running this collaborative exercise KnowNow are looking to work with engaged local authorities keen to address GDPR using appropriate digital solutions 

 

As part of the collaboration KnowNow will bring their significant data management expertise to the table along with their alpha stage Consentua via which to test processes, theories and ensure best practice. 

 

KnowNow Headlines 

  • Member of the Digital and Future Cities Catapults; 
  • Leading player in the Smart Cities movement; 
  • Recipients of the Open Data Prize from the Open Data Institute;  
  • Awarded a European Commission commitment for Sustainable Urban Mobility; 
  • Founder Chris Cooper is the Chair of Digital South; 
  • Member of the Canary Wharf Cognicity Accelerator Challenge.