GDPR: the challenge to the public sector

GDPR: the challenge to the public sector

public sector organisations such as local authorities need to address GDPR

Teiss Head of Training and Consulting, Jeremy Swinfen Green, considers the impact of GDPR on the public sector.

The public sector is struggling to meet the requirements of the GDPR.

With less than 9 months to the 25 May deadline, research from M-Files shows that 82% of UK boroughs have not yet allocated budget for implementing GDPR provisions. And 56% of all boroughs have not yet appointed a Data Protection Officer (DPO). This despite the fact that public authorities are required by the GDPR to have a DPO.

See also: Does Brexit make the GDPR irrelevant?

Lawful processing and the public sector

Local Authorities are unlikely to be relying on an individual’s consent as a reason to process data. And under GDPR, will be unable to rely on “legitimate interest”. Instead they will use the “the exercise of official authority” as the reason.

However, that won’t mean they can hang on to your personal data for ever. Once they have no reason to exercise official authority (perhaps because you have moved to another Borough) they will have to delete much (although not all) of the information they hold about you.

See also: Why the new data protection Bill isn’t the GDPR

The right to be forgotten

They may well have a problem doing so. The same research from M Files shows that 69 per cent of local authorities are not able to effectively remove personal data from their systems.

Julian Cook, Vice President of UK Business at M-Files, warns that “The right-to-be-forgotten is arguably one of the most challenging aspects of GDPR… This is particularly true for the public sector, where this data is commonly trapped within information siloes and duplicated across different systems and repositories.

“The net result is that public sector organisations often don’t have a full picture of the data on their systems, so completely erasing personal data becomes infinitely more challenging.”

These findings back up research from Kyocera earlier this year that found that only 59 per cent of public sector organisations are aware of the implications GDPR will have on their organisation.

The challenge of GDPR

GDPR throws up some major challenges for the public sector.

The first is probably the technical difficulty of identifying what personal data is held across complex organisations that may be very siloed. The use of data back-ups, and especially back-ups in shared cloud platforms, makes this even more tricky.

The second problem is cultural, persuading bureaucrats who are used to collecting and keeping data on citizens that this may be inappropriate and in the future may be illegal.

The EU has already come to blows with the UK’s educational establishment over the use of biometrics in schools. It is quite possible that the EU will revisit this issue once GDPR becomes active, given the specific inclusion of biometric data under the GDPR.

This cultural problem will only ever be addressed if leaders in the public sector take ownership of data privacy and demonstrate that they are taking this issue seriously.

But they can’t do this alone: they need to be supported by clear and readable policy documents, adequate training, awareness campaigns, and cultural change programmes.

That is a big ask for any public body, especially when purse strings are ever tighter. But, for both legal and ethical reasons, data privacy in the public sector is something that has to be addressed.

Teiss cyber security provide training and consulting on GDPR in the public sector. To find out more email

Image of Manchester Town Hall courtesy of, copyright GoldStock

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]