GDPR Risk Register

Risk (short title)

Risk (full description)

Risk Owner

Key Existing Controls

Inherent rating

Treat?

Controls planned

Mitigated rating

Further Action

Impact

L'hood

Grade

Impact

L'hood

Grade

Suppliers can't demonstrate compliance

Suppliers can't demonstrate compliance to the organisation's satisfaction meaning that any processing of data is potentially in breach of forthcoming legislation

TBC

Information lifecycle audits identifying areas of concern, ICT supporting major ICT concerns, services holding informal conversations with suppliers with policy and information managers support.  Procurement working group in place.

4

3

12

Y

Areas of concern highlighted to DPO and raised at Information Governance Group and CLT.  Amendments  put in place to safeguard personal data where possible

3

3

9

 

Cost of getting systems to comply

Where systems aren't compliant providers may request additional payments to make the system compliant.  This cost has not been accounted for

TBC

Information lifecycle audits identifying areas of concern, ICT supporting major ICT concerns, services holding informal conversations with suppliers.  Procurement working group in place.

3

4

12

y

Policy and Information Manager to start a record of costs and status.  DPO to send guidance to managers to ensure that payments are not made without prior discussion with DPO.

3

2

6

 

Staff resources impact of complying with recommendations from audits

As a result of recommendations from the IL audits, services are identifying that the work required in order for the information to become compliant is significant, and there is a lack of capacity

TBC

Working with services to develop reasonable timescales to deliver recommendations.  The council doesn’t have to be compliant by 25 May.

3

3

9

N

 

 

 

 

Getting corporate message sent round recognising the impact and thanking staff. Ensuring that the services have a clear plan in place and that these are followed up

Increased requests from customers requesting compliance

Resources aren't in place to deal with an increase in Customers and partners challenging the council to meet their new rights 

TBC

Need To Know guidance on the intranet. Changing website to provide guidance (march) hopefully to reduce requests. Further staff training in development

2

4

8

N

 

 

 

 

 

Shared service arrangements

Shared Service arrangments need to be reviewed for 

TBC

Currently working with MKS partners on GDPR preparations

5

3

15

Y

5

3

15

Develop working group, consider whether external support is required to ensure arrangements and compliant

Information sharing agreements not being in place

Information Sharing agreements exist across the council that are important to enable customers to be supported and services delivered effectively

TBC

The Kent and Medway Sharing Agreement is currently being updated by a kent working group.  Work is underway to identify all other sharing agreements and the working group will help support amendments.

4

2

8

N

 

 

 

 

 

The  Data Protection bill is not finalised

The Data Protection Bill is not yet finalised and there may be significant amendments not yet accounted for.

TBC

The Policy and Information Team are keeping a watching brief on any changes.

3

2

6

N

 

 

 

 

 

DPO conflict role 

Conflict of interest was identified for the DPO role.  DPO cannot have responsibility for any service where they they are responsible for deciding method of data collection, unless there are arrangements and procedures put in place or it is an ancilliary service

TBC

Agreed Customer Service  reports direct to SIRO on means of processing information and Customer Service Manager JD updated.

3

2

6

N

 

 

 

 

 

Lack of Capacity in ICT, Legal and procurement

Due to the large number of changes to systems and suppliers there is the potential for substantial extra work for ICT Legal and procurement, but particulary the shared services.

TBC

MKS authorities are working in collaboration on GDPR projects and are idenifying where there are potential impacts in workloads, and offering support to help prioritise.  ICT work is going through commissioning Groups

3

3

9

Y

 

 

 

 

Ask services to report to DPOs and information governance group capacity so changes can be monitored