London councils have spent over £1.2 million in preparation for the incoming General Data Protection Regulation (GDPR), according to a new policy paper published today from the Parliament Street think tank.
The report includes survey data revealing that London councils have individually spent up to £300,00 on software, training and consultancy to prepare for the new EU regulation.
Researchers at the Parliament Street think tank found that Tower Hamlets council had the highest budget allocated, with £300,000 set aside for GDPR compliance. The council added that the cost of a dedicated project worker for 12 months on a salary of £49,514 per annum has been committed.
>See also: Turning GDPR into a business opportunity
In contrast, the lowest level of spending came from Hounslow, which told the think tank that they had already spent £1,000 on staff training and materials, with an additional £4,000 allocated to the project for the rest of the year.
Other councils with large budgets were Redbridge council, which estimated a total budget of £110,689 for GDPR, with an extra £15,000 allocated for management software.
GDPR’s importance
Nick Felton, director of MHR Analytics, said: “Data protection legislation is not new, however the way in which public authorities collect, use and share information has changed significantly over the last 20 years. GDPR is designed to add strengthen and unify existing law.”
>See also: UK councils ‘unprepared’ for cyber attacks – according to report
“Under this legislation London Borough Councils must understand what personal data they process, why they process it, how and who processes it and importantly the legal basis used to qualify the processing. They must provide adequate GDPR training to staff, carry out a maturity audit and implement recommendations. They also need to assess if they have clear, concise and adequate use of privacy notices, a breach management strategy which meets the new compulsory reporting conditions, ability to fulfil data subject rights; including access and management of the withdrawal of consent and data processing maps to demonstrate and manage privacy risk. This will be a huge undertaking and significant investment will be needed internally and through the use of third parties, in order to comply with the May deadline.”
“Data continues to be a key asset for all organisations both from a legislation and competitive perspective – data is only getting bigger.”