Companies worrying about whether they have received the best advice over GDPR compliance are not alone, even MPs appear to be at sixes and sevens, amid claims that a data protection training programme – run by an external “GDPR specialist” – has advised them to delete years of casework.
The issue was raised in the Commons earlier this week by the Speaker, John Bercow, after Labour MP Chris Bryant claimed that his staff had attended a GDPR training session organised by the House of Commons and were informed that the new law meant they could not keep any information about constituency cases that had been completed.
Bryant said they came away with the impression that all data from before the last general election would have to be deleted.
He argued that this would make it impossible for him to do his job properly, comparing it to a doctor getting rid of all previous files on patients. “My constituents expect me to have their previous details when they visit,” Bryant said.
And it is claimed that staff in some MPs’ offices have already deleted old casework data, having been told that “all MPs are doing this”.
However, in Parliament Bercow said that “despite vigorous inquiry” by the House authorities and the contractor commissioned to support MPs and their staff, “no trace has been found by those responsible of such advice having been given”.
Bercow then set out what he described as “the actual situation as has been advised to me, and therefore as I understand it to be”.
He added: “Under GDPR and, indeed, existing legislation, there is no prescribed retention period. It is up to each [MP] to have a policy that either states for how long he or she will keep data, or sets out the criteria that that member will use in making such decisions. That is clearly set out in the templates provided by the training company commissioned by the House.
“I can confirm that training and advice will continue to be provided for some time. I understand that the Information Commissioner’s Office accepts that full compliance on May 25 is unlikely to be achieved by many organisations or individuals, but it will expect the basics to be in place: a demonstrable plan of action and an evident will to implement it.
“Our casework supporting constituents is invaluable, but as it involves processing often sensitive personal data, it is particularly important that we engage seriously with the GDPR regime. I am sure that we will all strive to do so.”
All of which raises the question, did MPs actually know what they were voting for by waving through the UK Data Protection Bill last week?
‘Inadequate’ Data Protection Bill is ‘already out of date’
Parish councils win reprieve as ICO gets more powers
Parish councils cry foul at cost of GDPR compliance
GDPR consent guidance is published – with a warning
Most EU data enforcers in a shambles as GDPR looms
Half of UK firms have set aside money for GDPR fines
ICO vows to pursue chiefs as Cambridge Analytica folds
Facebook tears up data deals with Acxiom and Experian
Cambridge Analytica chief steps down from DMA role
ICO applies for warrant as Facebook scandal escalates
Cambridge Analytica row ‘lets genie out of the bottle’