Teiss Head of Training and Consulting, Jeremy Swinfen Green, considers the impact of GDPR on the public sector.
The public sector is struggling to meet the requirements of the GDPR.
With less than 9 months to the 25 May deadline, research from M-Files shows that 82% of UK boroughs have not yet allocated budget for implementing GDPR provisions. And 56% of all boroughs have not yet appointed a Data Protection Officer (DPO). This despite the fact that public authorities are required by the GDPR to have a DPO.
See also: Does Brexit make the GDPR irrelevant?
Lawful processing and the public sector
Local Authorities are unlikely to be relying on an individual’s consent as a reason to process data. And under GDPR, will be unable to rely on “legitimate interest”. Instead they will use the “the exercise of official authority” as the reason.
However, that won’t mean they can hang on to your personal data for ever. Once they have no reason to exercise official authority (perhaps because you have moved to another Borough) they will have to delete much (although not all) of the information they hold about you.
The right to be forgotten
They may well have a problem doing so. The same research from M Files shows that 69 per cent of local authorities are not able to effectively remove personal data from their systems.
Julian Cook, Vice President of UK Business at M-Files, warns that “The right-to-be-forgotten is arguably one of the most challenging aspects of GDPR… This is particularly true for the public sector, where this data is commonly trapped within information siloes and duplicated across different systems and repositories.
“The net result is that public sector organisations often don’t have a full picture of the data on their systems, so completely erasing personal data becomes infinitely more challenging.”
These findings back up research from Kyocera earlier this year that found that only 59 per cent of public sector organisations are aware of the implications GDPR will have on their organisation.
The challenge of GDPR
GDPR throws up some major challenges for the public sector.
The first is probably the technical difficulty of identifying what personal data is held across complex organisations that may be very siloed. The use of data back-ups, and especially back-ups in shared cloud platforms, makes this even more tricky.
The second problem is cultural, persuading bureaucrats who are used to collecting and keeping data on citizens that this may be inappropriate and in the future may be illegal.
The EU has already come to blows with the UK’s educational establishment over the use of biometrics in schools. It is quite possible that the EU will revisit this issue once GDPR becomes active, given the specific inclusion of biometric data under the GDPR.
This cultural problem will only ever be addressed if leaders in the public sector take ownership of data privacy and demonstrate that they are taking this issue seriously.
But they can’t do this alone: they need to be supported by clear and readable policy documents, adequate training, awareness campaigns, and cultural change programmes.
That is a big ask for any public body, especially when purse strings are ever tighter. But, for both legal and ethical reasons, data privacy in the public sector is something that has to be addressed.
Teiss cyber security provide training and consulting on GDPR in the public sector. To find out more email firstname.lastname@example.org.
Image of Manchester Town Hall courtesy of Thinkstockphotos.co.uk, copyright GoldStock