Lauren Findlay, a solicitor in Glasgow City Council's Corporate Team, discusses her experience of being involved with the GDPR implementation project.
When people ask what it’s like working in-house, probably the most commonly given response is that the job is full of variety and that no two days are the same. Having completed my traineeship at Glasgow City Council, it was for this reason that I wasn’t entirely sure what to expect when I started my new position in the Council’s Corporate Team. For the most part, this has turned out to be true. One of the things that I enjoy most about my job is the variety of work that keeps me busy on a day to day basis (think drafting contracts for wheelie bins to drafting submissions to the Scottish Information Commissioner).
However, in addition to my business as usual work, I have also been involved in the Council’s GDPR implementation project. With the new data protection law recently coming into force, this is a fitting time to reflect on my experience and what I have learned being part of such a major project.
As you will undoubtedly be aware from the stream of marketing emails in your inbox, data protection law changed on 25 May 2018. Some of the changes include significantly higher fines (up to 4% of annual worldwide turnover), new rules on the legal basis for processing personal data and new obligations on data controllers and data processers. In preparation for these changes, the Council’s GDPR project was created to effectively implement the new law across the Council and its Arm’s Length External Organisations (ALEOs). The project was split into various groups which included an Operational Delivery Group responsible for implementation and also specialist sub-groups including a legal sub-group.
By the time I started working on the project, almost eight months ago, it was already well underway. A detailed project plan had been created and there was an extensive list of tasks to be actioned. This meant that I really had to hit the ground running and, in my view, this is the best way to learn. As a trainee I had some exposure to data protection, however this was limited and primarily in the context of dealing with freedom of information requests. Getting up to speed with GDPR and the associated Data Protection Act was initially challenging and a little bit daunting. However, I found that this became easier as I became more involved in the project and completed more work. I also made sure to attend internal and external training as well as keeping on top of guidance as and when it was released. I also took the opportunity to meet regularly with colleagues in the legal team and also across the Council, learning from their expertise in this area.
In my experience, working for a local authority has been rewarding in that your work directly or indirectly benefits residents of the city. While GDPR is fundamentally about protecting and enhancing an individual’s rights, the project also provided an excellent opportunity to be part of change at an organisational wide level. My role primarily involved providing advice on new privacy notices or general queries, creating guidance documents, updating existing contracts and putting in place new data sharing and processing agreements. Being able to contribute to the success of the project and the implementation of new practices across the entire organisation has been a professionally rewarding experience. The project has also shared its materials and resources with other local authorities and public bodies.
Overall, the project has been a steep learning curve and has helped to develop my knowledge in this area as well as providing the skills needed to contend with challenging data protection issues.
Lauren Findlay studied at the University of Strathclyde and completed her traineeship at Glasgow City Council. She has recently qualified and has joined the Council’s Corporate Team, specialising in Procurement, Freedom of Information and Data Protection.