Contact your Parish Council
GDPR Risk Register |
||||||||||||
Risk (short title) |
Risk (full description) |
Risk Owner |
Key Existing Controls |
Inherent rating |
Treat? |
Controls planned |
Mitigated rating |
Further Action |
||||
Impact |
L'hood |
Grade |
Impact |
L'hood |
Grade |
|||||||
Suppliers can't demonstrate compliance |
Suppliers can't demonstrate compliance to the organisation's satisfaction meaning that any processing of data is potentially in breach of forthcoming legislation |
TBC |
Information lifecycle audits identifying areas of concern, ICT supporting major ICT concerns, services holding informal conversations with suppliers with policy and information managers support. Procurement working group in place. |
4 |
3 |
12 |
Y |
Areas of concern highlighted to DPO and raised at Information Governance Group and CLT. Amendments put in place to safeguard personal data where possible |
3 |
3 |
9 |
|
Cost of getting systems to comply |
Where systems aren't compliant providers may request additional payments to make the system compliant. This cost has not been accounted for |
TBC |
Information lifecycle audits identifying areas of concern, ICT supporting major ICT concerns, services holding informal conversations with suppliers. Procurement working group in place. |
3 |
4 |
12 |
y |
Policy and Information Manager to start a record of costs and status. DPO to send guidance to managers to ensure that payments are not made without prior discussion with DPO. |
3 |
2 |
6 |
|
Staff resources impact of complying with recommendations from audits |
As a result of recommendations from the IL audits, services are identifying that the work required in order for the information to become compliant is significant, and there is a lack of capacity |
TBC |
Working with services to develop reasonable timescales to deliver recommendations. The council doesn’t have to be compliant by 25 May. |
3 |
3 |
9 |
N |
|
|
|
|
Getting corporate message sent round recognising the impact and thanking staff. Ensuring that the services have a clear plan in place and that these are followed up |
Increased requests from customers requesting compliance |
Resources aren't in place to deal with an increase in Customers and partners challenging the council to meet their new rights |
TBC |
Need To Know guidance on the intranet. Changing website to provide guidance (march) hopefully to reduce requests. Further staff training in development |
2 |
4 |
8 |
N |
|
|
|
|
|
Shared service arrangements |
Shared Service arrangments need to be reviewed for |
TBC |
Currently working with MKS partners on GDPR preparations |
5 |
3 |
15 |
Y |
5 |
3 |
15 |
Develop working group, consider whether external support is required to ensure arrangements and compliant |
|
Information sharing agreements not being in place |
Information Sharing agreements exist across the council that are important to enable customers to be supported and services delivered effectively |
TBC |
The Kent and Medway Sharing Agreement is currently being updated by a kent working group. Work is underway to identify all other sharing agreements and the working group will help support amendments. |
4 |
2 |
8 |
N |
|
|
|
|
|
The Data Protection bill is not finalised |
The Data Protection Bill is not yet finalised and there may be significant amendments not yet accounted for. |
TBC |
The Policy and Information Team are keeping a watching brief on any changes. |
3 |
2 |
6 |
N |
|
|
|
|
|
DPO conflict role |
Conflict of interest was identified for the DPO role. DPO cannot have responsibility for any service where they they are responsible for deciding method of data collection, unless there are arrangements and procedures put in place or it is an ancilliary service |
TBC |
Agreed Customer Service reports direct to SIRO on means of processing information and Customer Service Manager JD updated. |
3 |
2 |
6 |
N |
|
|
|
|
|
Lack of Capacity in ICT, Legal and procurement |
Due to the large number of changes to systems and suppliers there is the potential for substantial extra work for ICT Legal and procurement, but particulary the shared services. |
TBC |
MKS authorities are working in collaboration on GDPR projects and are idenifying where there are potential impacts in workloads, and offering support to help prioritise. ICT work is going through commissioning Groups |
3 |
3 |
9 |
Y |
|
|
|
|
Ask services to report to DPOs and information governance group capacity so changes can be monitored |