https://gds.blog.gov.uk/2018/05/31/how-we-worked-together-to-prepare-for-gdpr/

How we worked together to prepare for GDPR

The General Data Protection Regulation (GDPR) is a new European law that promotes transparency around the collection, use, sharing and storage of user data. GDS puts user needs at the centre of everything we do, so the opportunity to reflect these changes in our services is huge – and so is the project behind it.

A portrait of Avnesh Pandya
Avnesh Pandya, Delivery Manager

My role as Delivery Manager for GDPR is to plan and co-ordinate our response across our citizen-facing services. I also work with colleagues in Cabinet Office to share what we learn and collaborate across government departments. Everyone at GDS – myself included – is a user too, so we’ve been working on reviewing our internal policies and guidance.

The GDPR project is made up of 19 workstreams in total, and we’ve been working on it for almost a year now. The team is a large one, with specialists from different parts of GDS working on specific areas, getting together regularly to share what we’ve learned.

In this blog post, some of the people at GDS who worked to prepare for GDPR talk about the project and the challenges they faced.

Georgina Grant, Commercial Strategy Advisor

A portrait of Georgina Grant

My role

My role is to ensure that GDS’s existing commercial agreements with suppliers are compliant with GDPR. To do this, we have been issuing contract variations which incorporate new clauses and clearly set out the responsibilities for each party.

Why is this important?

Suppliers play an important role in helping us deliver digital services and we need to make sure that they understand what we need from them to meet the new standards.

What’s been the biggest challenge?

Given the volume and variety of commercial agreements held across GDS, ensuring that changes to contracts provide the appropriate level of coverage is the biggest challenge and most important aspect of this project.

Niall Keegan, Information Manager

My role

As Information Manager at GDS, I’m responsible for advising on best practice in information and records management for the handling and processing of personal data. I’m also part of the GDPR core team responsible for drafting guidance, products and processes to enable GDPR compliance. This includes things like consent forms and privacy notices.

Why is this important?

GDPR compliance has real benefits to how we work in GDS. It will ensure we retain better, more accurate information, enabling us to build stronger relationships and increase trust in our services. As an exemplar for digital services across government, GDS has a big opportunity to lead the way in GDPR compliance. This starts with informing staff and putting relevant products and processes in place.

What’s been the biggest challenge?

There have been a lot of competing priorities. It has been a challenge to document all our processing activities across the business. We have been working with teams to review processes and audit files containing personal data, and this has been daunting at times because of the huge proliferation of tools used to store data across GDS.

Chantal Foyer, Product Manager

A portrait of Chantal Foyer

My role

I'm a Product Manager on the Digital Marketplace. As part of ensuring our service is compliant with GDPR, we needed to update the contracts we have with suppliers who sell services on the Marketplace and get all of those suppliers to accept the changes.

Why is this important?

The Digital Marketplace is where government goes to buy digital services. We need to know that our suppliers understand this change in law and ensure that their services comply with it. Our updated call-off contract templates include GDPR terms to ensure that public-sector buyers can confidently buy through the Digital Marketplace.

What’s been the biggest challenge?

We have more than 4,000 suppliers on the Digital Marketplace. We needed all of these suppliers to review the changes we were proposing and accept them. If we had to do this manually, this would have taken a lot of time. Instead, we reused a feature we’d built for an earlier contract, which allowed suppliers to review the variation and accept it in one seamless online flow. This meant that within the first 4 weeks, we had just under 3,500 acceptances.

John Waterworth, Head of User Research

A portrait of John Waterworth

My role

I'm Head of User Research at GDS and also the head of the Cross-Government User Research Community. Respecting the privacy of research participants is an important part of our practice, so GDPR is an important change for us. I’m responsible both for making sure that we do research at GDS in an ethical and legal way, and also for the guidance that we provide in the Service Manual for user researchers across government. My role in this project was to update our processes to reflect the changes, whilst communicating them to our participants in a clear and understandable way.

Why is this important?

Although collecting personal data about research participants isn’t the purpose of user research, we often end up with personal data in the notes, recordings and photos we take during research sessions. Responses to surveys can contain personal data. And participants may enter personal data into a prototype or beta service during a usability test. So we need to carefully manage how we collect and store our research data. We also need to look at how we use any extracts, such as quotes and video clips.

What’s been the biggest challenge?

We know that showing our colleagues video clips, sound clips, photos and extended quotes from research sessions is incredibly valuable in helping teams understand their users. We’ve worked hard to find ways to share these extracts that are simple for user researchers to follow while also protecting participants’ privacy. Researchers can choose to create completely anonymised extracts. This takes a bit of extra work, but means the researchers are free to include those extracts in their findings presentations, and in public reports or blog posts. Or researchers can use extracts where participants can be identified. Then they must tightly control who can access those extracts, and prevent colleagues from copying or downloading them.

Lee Porte, Reliability Engineer

A portrait of Lee Porte

My role

As component lead for GDPR compliance on GOV.UK Platform as a Service, I am responsible for writing the stories and getting them prioritised with our Product Manager in order to feed into the team’s work streams. It is essential for me to liaise closely with the central GDPR team to ensure that the tasks required for compliance are completed in a timely manner.

Why is this important?

This is a critically important role within the GOV.UK Platform as a Service team as we are in a unique position in that we host other services for use by both civil servants and citizens. As a result, we had to be able to provide information regarding GDPR compliance for service end users. We also had to provide our civil servant users with the information they needed in order to ensure their own GDPR compliance was in place in advance of the deadline.

What’s been the biggest challenge?

The biggest challenge has been gathering information for the various suppliers that we use. This has been difficult as they have been going through the same process. And, as a result, the information requested has not always been to hand.

Syed Bokhari, Associate Delivery Manager

A portrait of Syed Bokhari

My role

I’m an Associate Delivery Manager in the GDPR Programme Team. Over the last 6 months, I’ve been assisting the Delivery Manager with planning on what work will be done and by when.

Why is this important?

With a programme of this size, there are many aspects to what needs to be done, with many teams and people involved. It’s important to work with the teams to understand the challenges they’re facing and how we can support them as a programme team. My role was to help them identify solutions to risks and blockers that could hinder and impact delivery. I also helped them with planning and prioritising their work, better enabling the team to deliver against agreed timescales.

What’s been the biggest challenge?

Most of the 19 workstreams have dedicated teams working on GDPR, made up of individuals with various skills. At GDS, we also have quarterly missions, which means people will leave and join teams each quarter. This means lots of people are involved in what we’re doing! The biggest challenge has been to create a way of working that ensures information is shared through the forums we’ve created and that we keep on track of where we are and come together to solve challenges, whilst reporting our progress to senior stakeholders and wider government.

What’s next

Our approach to GDPR has focused on our existing services and offers, but as these develop, so will our approach to privacy and user rights. At GDS we embed ‘privacy by design’, which means privacy is a consideration as we design the service, rather than something we retrofit afterwards, so it’s something that underpins all of our activity.

As we continue to learn what our users need and the best way to implement that, we’ll also continue to update the Service Manual so that we can share best practice with our colleagues across government.

If you want to find out more about the work of the Government Digital Service, we’re speaking and running workshops at Civil Service Live around the country in June and July and the Public Sector Show in London on 26 June.

Come along to hear from us and talk to us.