There are fewer than 12 months to go until the General Data Protection Regulation (GDPR) takes effect across Europe. As a result of this, organisations should be well on their way to ensuring compliance from 25 May 2018. Whilst a recent poll revealed that 76% of public sector executives claimed that their organisation was either ready for, or on the way to being so, the GDPR, there are still a number of areas which will take some time in order to ensure complete compliance.
With the increased accountability and scrutiny afforded by the new legislation comes an opportunity for public sector bodies to improve consumer trust in their ability to handle, process and store personal data. One of the main drivers behind legislative reform in this area has been the lack of confidence from consumers when it comes to the storage of their personal data, in particular by public organisations. Whilst it is important for public bodies to comply for the sake of compliance, it is also an ideal occasion for organisations to prove to consumers that they can handle personal data in a responsible manner, and therefore increase citizen confidence and trust in the public sector.
Education
The starting point for this must come from education. Employees who handle personal data, whether this is first hand through day to day tasks or via a role in HR or marketing, by the time the new legislation comes into force, all employees must be aware of their obligations and responsibility towards citizens' personal data. This may require, in addition to education on the requirements expected, a culture shift within the organisation. Perhaps most easily achieved through building on internal policies and creating best practice standards for employees to adhere to.
Recent research by the Information Commissioners Office (ICO) found that 18% of councils have no mandatory data protection training for employees processing personal data. This is the bare minimum of standards that should be being adhered to by public sector bodies as it can prove invaluable in minimising breaches. The starting point for these organisations will be introducing training in order to educate employees on their responsibilities to citizens' personal data.
In addition, there is a requirement under the GDPR for all companies to appoint a Data Protection Office (DPO) in order to ensure compliance. Research has found that 74% of local government organisations do not currently have DPO contact listed. This will need to change in time for next year's legislative reform.
Key Changes for Public Sector Organisations
Below are some of the key changes that will affect public sector bodies in particular:
This list is in no way exhaustive and there could be alternative ways in which organisations can address the changes that will imminently be introduced.
Conclusion
In order to ensure compliance and avoid fines in the public sector (which will be more heavily scrutinised by citizens who may object to public funds being spent in such a manner), public sector organisations must begin respecting the sensitivity of citizens' data and using it appropriately in conjunction with private partners and other public sector organisations, this should ensure the best possible service delivery. This could include requiring organisations to seek partnerships with digital experts in order to fully map their data universe and to avoid gaps leading to non-compliance.
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up