HMG’s Data Protection Preparedness

This survey is intended to provide information on the state of Government’s preparations for the
General Data Protection Regulation (GDPR) and Data Protection Bill. Responses will be collated
and analysed and form the basis of a report for the Cabinet Secretary. The report will also help
inform next steps in Government's preparedness, including identifying areas of common
challenge, where DCMS will facilitate collective solutions and or additional guidance.

Privacy statement
Information provided in the course of this survey, including personal information, may be
published or disclosed in accordance with access to information regimes, primarily the Freedom
of Information Act 2000 (FOIA) and the Data Protection Act 1998 (DPA). The Department for
Digital, Culture, Media and Sport (DCMS) will process personal data supplied in this survey in
accordance with the DPA. The information supplied in this survey will be shared within DCMS
and with selected third parties for purposes connected with the survey, including analysis,
discussion, reports and next steps, and in accordance with business need. Third parties with
whom information will be shared are:
Cabinet Office
Other government departments
Consultant (TBC)
Aggregated analysis of responses may also be shared with the Information Commissioner’s Office
(ICO) and the Government Internal Audit Agency (GIAA). Consent will be sought in accordance
with the DPA should there be a requirement to share information with any other third parties
outside of those listed above. If you want the information you provide to be treated confidentially,
please be aware that, in accordance with the FOIA, public authorities are required to comply with
a statutory code of practice which deals, amongst other things, with obligations of confidence. In
view of this, it would be helpful if you could explain to us why you wish that information to be
treated confidentially. If we receive a request for disclosure of that information, we will take full
account of your explanation, but we cannot give an assurance that confidentiality can be
maintained in all circumstances.

Page 1 of 17
Q3 Survey completion instructions
The survey should be signed off by a Senior Civil Servant. There are six short sections:
Background information
Data Protection Officers
Discovery
Data processing
Risk
Wider Responsibilities
You may partially complete the survey and return to it at a later date (before the deadline), so
long as you use the same internet browser and the same computer when returning to the survey.
You can also toggle backwards and forwards between questions.
To submit your completed response, please use the 'forwards' arrow on the final page. Any
partially completed surveys will be submitted automatically at the end of the survey period.
Where there is a reference to the data protection legislation in the survey, this should be read as
the GDPR and the Data Protection Bill (including Part 3 Law Enforcement Processing).
The survey will close at midday on 24 October. If you would like to submit any accompanying
documentation, or if you have any queries, please email
( @culture.gov.uk).

Page 2 of 17
SECTION 1 – Background information

What is the name of your department?

Department for Environment, Food and Rural Affairs
Predominantly, what type of department are you (for data protection purposes)?

o Operational (1)

o Policy (2)

o Other (please specify) (3) Pre-dominantly policy but with many Arms Length Bodies
undertaking operational activities.

Roughly how many people’s personal data do you hold (including staff)?

o Less than 2,000 (1)

o 2,000 - 20,000 (2)

o More than 20,000 (3)

Please provide your contact details.

o Name (1)

o Role (2)

o Grade (3)

o Email address (4) @defra.gsi.gov.uk

o Telephone number (5)

Page 3 of 17
Are you the working contact responsible for day to day implementation of new data
protection legislation in your department?

o Yes (1)

o No (2)

If No,
Please provide the working contact’s details.

o Name (1) ________________________________________________

o Role (2) ________________________________________________

o Grade (3) ________________________________________________

o Email address (4) ________________________________________________

o Telephone number (5) ________________________________________________

Who is the senior lead official responsible for data protection legislation implementation
within your department?

o Name (1) Jan Booth

o Role (2) Head of Knowledge and Information Management

o Grade (3) SCS1

o Email address (4) @defra.gsi.gov.uk

o Telephone number (5)

Page 4 of 17
 SECTION 2 - Data Protection Officers
All public authorities must appoint a Data Protection Officer (DPO) responsible for monitoring and
advising on data protection compliance across the organisation and reporting to the departments
Board. The DPO must not have a role in defining the processing of information within the
organisation. For those departments that carry out large scale monitoring of individuals and/or
those that process special categories of data such as health records the Data Protection Officer
should be a senior civil servant.

Has your department appointed a Data Protection Officer, according to requirements as

set out in data protection legislation?

o Yes (1)

o No (2)

If Yes,
Please provide contact details for the Data Protection Officer.

o Name (1) ________________________________________________

o Grade (2) ________________________________________________

o Email address (3) ________________________________________________

o Telephone number (4) ________________________________________________

If No,
When do you plan to have an appointed Data Protection Officer, according to requirements
as set out in data protection legislation?

o October to December 2017 (1)

o January to March 2018 (2)

o April to June 2018 (3)

o After June 2018 (4)

Page 5 of 17
And
Do you have an interim Data Protection Officer?

o Yes (1)

o No (2)

If Yes
Please provide contact details for the interim Data Protection Officer.

o Name (1)

o Role (2)

o Grade (3)

o Email address (4) @defra.gsi.gov.uk

o Telephone number (5)

________________________________________________

Page 6 of 17
SECTION 3 – Discovery
All compliance activity for data protection legislation implementation is dependent on knowing
what data you hold, for what purpose or purposes and how you process it. This will likely require
an information audit of your organisation.
Has your department started an information audit to understand the data you hold and the
data flows between your department, its partners and suppliers?

o Yes (1)

o No (2)

If Yes,
What is the expected completion date of the information audit, or date of completion if the
audit has already concluded?

o September 2017 or earlier (1)

o October to December 2017 (2)

o January to March 2018 (3)

o April to June 2018 (4)

o After June 2018 (5)

If No,
Are you planning on undertaking an information audit?

o Yes (1)

o No (2)

If Yes,
Q19 Please provide further information, including start and finish dates.

Under the Defra group Data Protection Programme which covers the core Department and
its main Arms Length Bodies there is a work stream on Inventory and Consent which will develop

Page 7 of 17
a high level map of inventories of personal information and identify any significant gaps in it. The
work is due to be undertaken between 1st November 2017 and 15th March 2018.

SECTION 4 – Data processing

You will need an organisational action/project plan to assess and address where current policies,
processes and systems do not comply with the proposed new laws. The plan will also need to
cover partner organisations and contractors who process data on behalf of your department. The
plan should include:
Meeting requirements concerning data processing notification, access, rectification,
erasure, restriction, data portability, objection and automated decision making-based on
profiling;
Meeting requirements for logging and auditing, and categorisation, set out in Part 3 of the
DP Bill if you are processing for law enforcement purposes;
Seeking, recording and managing consent for data processing and portability;
Ensuring the security of data, in particular to cyber threats;
Conducting data protection impact assessments where appropriate;
Detecting, reporting and managing personal data breaches;
Ensuring staff are aware of and trained to meet their responsibilities.

Has your department started assessing your current compliance with the new data
protection legislation?

o Yes (1)

o No (2)

If Yes,
Have you started implementing an initial action/project plan to address areas of non-
compliance in a prioritised and risk proportionate manner?

o Yes (1)

o No (2)

If Yes,
What is the expected completion date of your assessment of current compliance with
the new data protection legislation, or date of completion if already completed?

Page 8 of 17
o September 2017 or earlier (1)

o October to December 2017 (2)

o January to March 2018 (3)

o April to June 2018 (4)

o After June 2018 (5)

And,
What is the expected completion date of the action/project plan for policies and
processes, or date of completion if already completed ?

o September 2017 or earlier (1)

o October to December 2017 (2)

o January to March 2018 (3)

o April to June 2018 (4)

o After June 2018 (5)

And,
What is the expected completion date of the action/project plan for systems, or date of
completion if already completed?

o September 2017 or earlier (1)

o October to December 2017 (2)

o January to March 2018 (3)

o April to June 2018 (4)

o After June 2018 (5)

Page 9 of 17
If No,
When will you start implementation of the action/project plan?

o October to December 2017 (1)

o January to March 2018 (2)

o April to June 2018 (3)

o After June 2018 (4)

o Don't know (5)

And,
When do you plan to start assessing your current compliance with data protection
legislation?

o October to December 2017 (1)

o January to March 2018 (2)

o April to June 2018 (3)

o After June 2018 (4)

o Don't know (5)

Page 10 of 17
And,
When do you plan to start implementing your initial action/project plan to address areas
of non-compliance in a prioritised and risk proportionate manner?

o October to December 2017 (1)

o January to March 2018 (2)

o April to June 2018 (3)

o After June 2018 (4)

o Don't know (5)

Following completion of your initial action/project plan, what level of residual compliance
risk do you expect to remain?

o Low (1)

o Medium (2)

o High (3)

o Don't know (4)

If you would like to briefly explain, please do so below.

We have completed a readiness assessment using the Information Commissioner’s Office

readiness assessment tool. This indicates a current risk of medium to high non-compliance. More
detailed work on risk assessment is planned including undertaking Data Protection Impact
Assessments on key areas of personal information processing. This will provide a more detailed
and rigorous assessment of specific systems on the basis of which risk mitigation decisions will
be made. It is anticipated that following implementation of these risk mitigating actions the residual
risk will be medium or low, but further work is needed and planned to provide assurance on this.

Page 11 of 17
Does your department have sufficient resource allocated to adequately prepare for the new
data protection legislation?

o Yes (1)

o No (2)

If No,
Please provide further information.

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

Law enforcement purposes means the processing of personal data by competent authorities for
the purposes of the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, including the safeguarding against and the prevention of threats
to public security.

Does your department process data for law enforcement purposes?

o Yes (1)

o No (2)

If Yes,
While Defra as a Department of State doesn’t undertake law enforcement based processing it
has a number of Arms Length Bodies that do. The department is working closely with these to
ensure that processing complies with the relevant legislation.

Page 12 of 17
When do you expect to complete your preparations for the Law Enforcement Directive
(LED, covered in part 3 of the Data Protection Bill) processing, or date of completion if
already completed?

o September 2017 or earlier (1)

o October to December 2017 (2)

o January to March 2018 (3)

o April to June 2018 (4)

o After June 2018 (5)

Page 13 of 17
SECTION 5- Risk

Briefly describe your three biggest areas of concern in relation to complying with data
protection legislation.

o Concern 1 Uncertainty about the interpretation of the legislation in a way which is

consistent with other central Government bodies.

o Concern 2 Time scales prove too tight to assess and mitigate risks of non-compliance
especially where changes to IT systems are needed which have long lead times.

o Concern 3 High priority activities on EU Exit and the transformation of Defra and its Arms
Length Bodies mean that complying with data protection legislation does not receive sufficient
priority to manage risks of non-compliance to an acceptable level.

Are there any specific areas where you would like additional central guidance and
support?

o Yes (1)

o No (2)

If Yes,
Please detail the specific areas where you would like additional central guidance and
support.

It would be useful to have a schedule setting out what guidance and support DCMS will provide
and a timetable for this. This would enable us to develop guidance in areas where none is going
to be provided early and to wait to defer internal work where central guidance will be provided.

Has your department taken steps in respect of communicating, training and enhancing
awareness of the data protection legislation for all appropriate staff?

o Yes (1)

o No (2)

Page 14 of 17
If Yes,
Describe briefly the steps that you have taken.

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

Taking everything into consideration, how positive or negative do you feel about the
department being on the right trajectory for compliance with the key, priority requirements
set out in Annex A of Sir Jeremy Heywood’s letter of 14th September, 2017?

o Extremely positive (1)

o Somewhat positive (2)

o Neither positive nor negative (3)

o Somewhat negative (4)

o Extremely negative (5)

Please explain briefly why you feel this way.

Defra has established a Data Protection Programme which includes plans to undertake detailed
assessment and mitigation of risks associated with Data Protection compliance. However, there
remain many uncertainties about interpretation of the legislation, some of which is still in
Parliament. Until Data Protection Impact Assessments are undertaken there are considerable
uncertainties about the extent of risks and the cost, timescales and feasibility of undertaking steps
to mitigate these. Timescales are very tight, and the Data Protection Programme is intervening at
a time of intense and high priority activity in relation the EU Exit and transformation of the Defra
group, which make it more difficult to ensure that data protection receives the attention it needs
to ensure low risks in all areas.

Page 15 of 17
SECTION 6- Wider responsibilities

Does your department have Accounting Officer and/or risk assurance responsibilities for
any Arms Length Bodies or public sector organisations?

o Yes (1)

o No (2)

If Yes,
How many?

o 1 - 5 (1)

o 6 - 20 (2)

o 21 - 40 (3)

o 41 plus (4)

How is your department working with its Arms Length Bodies and public sector
organisations to monitor or help them prepare for the new data protection laws? (For each
of the four 'actions', select one of the columns)

Plan to (1) Started (2) Completed (3)

1. Initial Engagement
(1) o o o X

2. Guidance on
necessary actions
(e.g. workshop) (2) o o X o
3. Direct support to
prepare (e.g.
recruiting DPO,
audits, action plans) o o X o
(3)

4. Assurance process
of preparation (e.g.
Surveys) (4) o o X o

Page 16 of 17
If you have any further comments, please detail below.

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

Please confirm that this survey has been signed off by a Senior Civil Servant.

o Yes (1)

o No (Please explain) (2) ________________________________________________

Thank you for completing this survey

Page 17 of 17