Data protection officers (DPOs) working in central government departments, agencies and associated public bodies across the UK say they have seen a doubling in volume of data protection requests (DPRs) since the introduction of the General Data Protection Regulation (GDPR) in 2018, but are not being adequately resourced when it comes to dealing with the workload.
This is according to The impact of GDPR in central government, a newly published study conducted by eCase, a supplier of correspondence case management systems which works extensively with Westminster, including at the Department for Work and Pensions (DWP), Defra, HMRC, the Ministry of Defence (MoD) and the Treasury.
Its survey of central government DPOs found that 70% had seen significant upticks in their workload since GDPR became law, while 40% had received no extra team resources to manage this and 33% were still managing DPRs manually or with support from basic spreadsheet software.
An 83% majority said they had, however, experienced an increase in “support and recognition” from their superiors.
“Through our work, we recognise that GDPR has presented unique challenges for DPOs across central government, so we wanted to provide a mechanism for them to share common challenges and provide insights into how they can better and more effectively manage their compliance,” said eCase director Richard Clarke.
“In the course of our research, we discovered that few are using purpose-built commercial tools,” he said. “This lack of efficient tooling may not only be affecting their ability to confidently manage their current workloads, but also their ability to fulfil future requests, which will become even more pronounced as their workloads continue to increase.”
Indeed, many of those who said they were using custom-built DPR-management tools said they fretted about being able to fulfil their obligations in the time limits laid down by the Information Commissioner’s Office. All of those using purpose-built tools said they were mostly or completely confident they could do so.
In light of this, eCase has called on the government to increase the size of departmental data protection teams, provide more concrete support to these teams to help them engrain best data protection practice into their work, and offer more extensive and, crucially, continuous data protection training and education.
“I believe that the insights and recommendations in this report will provide central government, and the wider public sector, with a clear roadmap for improvement,” said Clarke.
“Given the current pandemic situation, where we know that many teams have been depleted and the focus on the role of data in managing this crisis has sharpened, the risk of data protection teams being overwhelmed is greater than ever. I urge all DPOs in government to read this report and act upon its recommendations before this happens.”
Jon Baines, chair of the National Association of Data Protection and Freedom of Information Officers (NADPO) and a data protection advisor at law firm Mishcon de Reya, added: “I welcome this report as its findings should help inform not just decisions made in government and the public sector, but also across the wider spectrum of private organisations.”