Agenda item
GDPR Update
Report of the Comptroller and City Solictor
Minutes:
The Sub-Committee received a report of the Comptroller and City Solicitor which provided an update on the internal audit of phase 1 of the Corporation’s arrangements for compliance with the General Data Protection Regulation. The report highlighted that Oversight of GDPR is the responsibility of the IT Sub-committee and the Audit and Risk Management Committee. The Comptroller highlighted that Mazar’s report appended to the report was in draft but that the finalised report had been produced with no material differences. In addition the Comptroller provided an update on the issue of third party contractor’s compliance with GDPR explaining that the relevant departments had been informed of the issue and that the Comptrollers department had administered 120 data processing agreements with a further update expected in early 2019.
On the issue of GDPR training the Comptroller clarified that the 94% quoted in paragraph 20 of report was difficult to improve as staff moving departments, leaving or joining the City of London Corporation meant that in practice a higher percentage was unlikely to be achieved. In addition, Members were advised that 85% or over was considered a good industry standard.
A Member expressed a concern on the issue of GDPR compliance with bodies affiliated with the City of London Corporation but not formally within scope of the City of London Corporation’s GDPR oversite such as the City of London Academy Trust (COLAT). The Comptroller confirmed that the City of London Corporation would offer informal support to organisation such as the COLAT but responsibility for GDPR compliance with remain with the organisation’s information officer. Members highlighted that this was a potentially problematic issue as the City of London Corporation’s connection to these organisations caused a reparational risk if they were non-GDPR compliant. The Comptroller confirmed that a report would be produced and considered at the May Information Technology Sub-Committee.
Replying to a Member’s question regarding a discrepancy in the data in Mazars’ report the Comptroller explained that the he could not provide any further information regarding the data as it was produced by Mazars.
RESOLVED – that the Committee:
I. the report be noted; and
II. that further GDPR monitoring reports be produced on a …. frequency.
Supporting documents:
-
GDPR Audit Report Final with comments and appendices, item 14.
PDF 154 KB -
Appendix 1 2018.10.19 Mazars - City of London GDPR Readiness Assessment - for responsibilities and Target dates, item 14.
PDF 442 KB
-
Appendix 2 GDPR Departmental Self-Audit Monitor Dummy v2, item 14.
PDF 192 KB
-
Appendix 2a GDPR Guidance Notes Self-Audit monitor, item 14.
PDF 186 KB
-
Appendix 3 GDPR Summary of competed Records Retention Schedules and Third-Party Contracts, item 14.
PDF 128 KB
-
Appendix 4 Table - GDPR departmental completionFinal, item 14.
PDF 96 KB
-
Appendix 5 CR 25 Risk report_, item 14.
PDF 103 KB