There are fewer than 12 months to go until the General Data Protection Regulation (GDPR) takes effect across Europe. As a result of this, organisations should be well on their way to ensuring compliance from 25 May 2018. Whilst a recent poll revealed that 76% of public sector executives claimed that their organisation was either ready for, or on the way to being so, the GDPR, there are still a number of areas which will take some time in order to ensure complete compliance.
With the increased accountability and scrutiny afforded by the new legislation comes an opportunity for public sector bodies to improve consumer trust in their ability to handle, process and store personal data. One of the main drivers behind legislative reform in this area has been the lack of confidence from consumers when it comes to the storage of their personal data, in particular by public organisations. Whilst it is important for public bodies to comply for the sake of compliance, it is also an ideal occasion for organisations to prove to consumers that they can handle personal data in a responsible manner, and therefore increase citizen confidence and trust in the public sector.
The starting point for this must come from education. Employees who handle personal data, whether this is first hand through day to day tasks or via a role in HR or marketing, by the time the new legislation comes into force, all employees must be aware of their obligations and responsibility towards citizens' personal data. This may require, in addition to education on the requirements expected, a culture shift within the organisation. Perhaps most easily achieved through building on internal policies and creating best practice standards for employees to adhere to.
Recent research by the Information Commissioners Office (ICO) found that 18% of councils have no mandatory data protection training for employees processing personal data. This is the bare minimum of standards that should be being adhered to by public sector bodies as it can prove invaluable in minimising breaches. The starting point for these organisations will be introducing training in order to educate employees on their responsibilities to citizens' personal data.
In addition, there is a requirement under the GDPR for all companies to appoint a Data Protection Office (DPO) in order to ensure compliance. Research has found that 74% of local government organisations do not currently have DPO contact listed. This will need to change in time for next year's legislative reform.
Key Changes for Public Sector Organisations
Below are some of the key changes that will affect public sector bodies in particular:
- Definition of Personal Data - Has been widened so that personal data that has been encrypted and online identifiers, for example IP addresses, are included. In addition, sensitive personal data will include genetic and biometric data. Therefore, more data will be subject to data protection laws. Higher levels of protection which are currently applied to sensitive personal data will need to be applied to genetic and biometric data.
- Legitimate Interests Ground - Public authorities will no longer be able to rely on this as a basis for processing personal data. Organisations will need to become clear about the grounds for lawful processing being relied on. In addition, EU Member States will be given powers to adapt the rules in relation to tasks carried out in the public interest or in the exercise of public authority. Public bodies will need to keep up to date on developments in relation to this.
- Consent - Conditions for obtaining consent are now stricter. Consent should be freely given, specific, informed, unambiguous, distinguishable and easy to withdraw as well as specific to each processing activity. Public authorities should ensure that consent for lawful processing is active and does not rely on pre-ticked boxes. In addition they should make sure that the consent relates specifically to the purposes of the processing, as consent for one purpose cannot then be used for another. Existing consents may become invalid and new consents may therefore need to be obtained. However, it would be better for public bodies to base their processing on other legal grounds.
- Increased Individual Rights - The GDPR will bring an increase in the rights of individuals to request information regarding the storing and processing of their personal data. As a result, staff will need to be trained in relation to these new rights and there will need to be new internal policies and procedures in place to aid compliance. Public bodies will also need to ensure that their systems for processing personal data are able to cope with these increased rights. For example, they will require the ability to isolate and permanently erase data where requested by a data subject. It is important to note that data subjects will have the ability to object to processing which is claimed to be in the public interest or necessary for the exercise of official authority. Public bodies will need to be able to prove overriding legitimate grounds for processing in order to overrule this objection.
This list is in no way exhaustive and there could be alternative ways in which organisations can address the changes that will imminently be introduced.
In order to ensure compliance and avoid fines in the public sector (which will be more heavily scrutinised by citizens who may object to public funds being spent in such a manner), public sector organisations must begin respecting the sensitivity of citizens' data and using it appropriately in conjunction with private partners and other public sector organisations, this should ensure the best possible service delivery. This could include requiring organisations to seek partnerships with digital experts in order to fully map their data universe and to avoid gaps leading to non-compliance.