More than an IT Issue
Although the public sector is generally more aware of GDPR than the private, reactions and preparations are poor. The implications for this legislation on already existing policy and service
delivery mean every job in the public sector is likely to be affected. And public bodies must be willing to radically change their approach to data handling.
Brexit changes nothing
Even though the UK is set to leave the EU, it will have to follow GDPR to the letter until that happens.
That means public sector bodies should be ready to comply until 2019 at the very least, and probably longer. Even then, we’ll probably be expected to follow the rules if it expects to do business or share data with anyone on the continent.
Get used to the C Word
The regulations explicitly stipulate that the power imbalance between public bodies and data subjects means consent will not usually be valid grounds for data processing by a public body. ‘Freely given’ consent won’t be enough. Expect to
be held to a higher standard and expect to request consent by ‘line item’ for all data uses.
Furthermore, be aware that this tightening of consent laws will likely mean that your existing consents are invalid. Therefore, be prepared to invest resources to renew and update them.
Beware blind spots.
Further to the assumption that GDPR is ‘just an IT issue’, it’s worth remembering that the regulation covers data in all formats. Despite a general move towards electronic communications, public sector bodies still deal in paper.
Print data breaches constitute only around 8% of breaches, but will be handled the same way by GDPR. Be sure to give it the attention it deserves and establish clear, unambiguous policies on the usage and storage timelines of personal data across all formats.
Train up
18% of local authorities in the UK offer no data protection training for their employees. Further to this, only a quarter currently list a DPO contact. Since both will soon be mandatory (along with other
requirements like privacy breach assessments) public bodies would be wise to develop their skillsets in these areas before the regulation comes into force in May.
Be prepared for citizens to demand more from you.
GDPR prohibits data controllers from charging data subjects for disclosures. More detailed data must also be disclosed.
Coupled with the new right to contest decisions made on the basis of algorithmic data processing, public bodies should expect to spend a great deal more time servicing data release requests and contentions - and they should expect to do it for free.
External sources
Thank you to all of the external sources below in helping to put this research together
