Department for Work and Pensions to spend £15m on GDPR
DWP defends data protection budget that is 30 times higher than other departments
The Department for Work and Pensions (DWP) has allocated 14.7 million towards GDPR compliance, new research has found, with less than a month to go until the new data regulations come into force.
The DWP is forecast to spend that sum over the course of 2018, with this money predominately being used for a programme of education and awareness, as well as a review of existing records storage arrangements.
In a report entitled 'GDPR: The Impact on Government', the think tank Parliament Street examined how central government departments are preparing to implement the GDPR and how resources are being allocated, gathering responses to Freedom of Information (FOI) requests from the DWP, the Treasury, the Department for Transport (DfT) and the Ministry of Justice (MoJ).
The DWP is spending around 30 times as much as the other government departments on preparing for GDPR, which comes into force on 25 May with the purpose of handing people more control over what organisations can do with their data, and higher penalties for companies and public bodies that misuse or fail to protect that personal information.
A DWP spokesperson defended its 15 million outlay, however, pointing to a high level of staffing, with four times the number of employees at the DfT spread across 800 offices spread across the UK, and that it looks after the personal data of 22 million people.
In a statement sent to IT Pro, the spokesperson said: "We take all of our data protection responsibilities extremely seriously. DWP directly supports 22 million people and need to invest to make sure we are meeting any new levels of compliance. This also means making sure our 80,000 staff fully understand these responsibilities."
Other deparments' spends paled in comparison. The DfT said it has spent 147,000 to date preparing for the regulation, allocating 72,000 towards hiring contingent labour and 23,000 on staff training, and expecting to spend a further 400,000 by the end of the year.
The MoJ, meanwhile, is also expected to spend more than 500,000 by the end of 2018, with its 154,218 spend to date allocated overwhelmingly on software, and the remainder on GDPR-specific training for staff.
The Treasury has spent the least of the four - only 90,483 in 2017/18 - while projecting a 78,800 spend in 2018/19. It also allocated 30,000 on learning and development, and 15,000 on e-discovery tools.
Private sector spending on GDPR compliance has separately been estimated at 1.3 million per company, according to a Coleman Parkes study in February.
Analysing these findings, Parliament Street CEO Patrick Sullivan told IT Pro: "The GDPR signifies the greatest shake-up of UK data rights in recent memory and still the public sector's strategy seems shrouded in mystery.
"We need to hear much more about what policies are being implemented to manage this complex legislation, detail on how our data rights will change and most importantly how much taxpayers will be coughing up to support it.
"It's clear that departments are working hard to comply, but they also need to communicate this effort so that the public have complete confidence in the UK's response to this important new regulation."
Parliament Street's findings into how central government is preparing for GDPR comes weeks after the think tank released a similar report analysing how the NHS is racing to comply; with trusts investing more than 1 million in software, tools and staff training.
Meanwhile, Peter Irikovsky, CEO of Exponea, a firm specialising in e-commerce, warned: "A major concern with this legislation is that many organisations are rushing to meet the impending deadline, hiring in external consultants and resources without being entirely certain that the changes made will deliver complete compliance.
"As such there is a real risk that many departments could be GDPR compliant in theory, but not in practice, due to the complex nature of their software vendors, many of which aren't taking GDPR seriously."
The report outlined several recommendations for central government to improve its approach to GDPR, including a focus on increasing staff training, awareness and accountability across the board, and developing a hub for governmental departments and agencies.