Public Sector and the Impact of GDPR
From May 2018, the new EU General Data Privacy Regulation (GDPR) will require all Public Sector organisations to more effectively understand how they manage data on their citizens, contractors and staff.
What does GDPR mean for Public Sector agencies?
GDPR will introduce a new set of requirements on agencies around managing the privacy of data about any person who is classed as an EU citizen. This will cover citizens, customers, contractors, agency staff, volunteers and employees – anybody that is an EU citizen and where an agency holds privacy related data.
The new regulation means citizens will have significantly more rights and powers on how their data is used and consumed, with large fines available for any breaches of the regulation. Citizens will also have the ability to request an agency provide the details of all the information held about them (called a Subject Access Request or SAR).
Some of these changes are enhancements to existing Data Privacy regulations but there are some significantly new requirements upcoming also. One of these is the idea of ‘data privacy by design’. This is the idea that agencies will need to consider data privacy requirements as a keep functional capability of any new application, system or service that holds privacy related data.
One key aspect of the new regulation is that there a very large fines associated with any breaches. The maximum is now set at 4% of annual worldwide turnover (aimed at commercial organisations) or €20m. This final figure has gotten the attention of many agencies who, whilst coping with reductions in budgets, would struggle to find such large amounts of money.
And finally, given that this is driven from the EU, there is an expectation that Public Sector agencies will lead the way on adopting and implementing new data privacy regulations.
Does Brexit change anything?
No is the answer in the short to medium term.
Public Sector agencies are still going to need to develop strategies and implement plans to support GDPR. There are, however, a number of outstanding questions around the timings of what happens next and the influence this will have on GDPR implementations.
At the time of writing, the UK Government has suggested the triggering of Article 50 (required to formally start the procedures for leaving the EU) won’t now be until early 2017. There is also a suggestion that the stated 2-year period for defining exit terms may take considerably longer. If we assume that Article 50 gets triggered on 1st January 2017 and negotiations do indeed take 2 years, then we will already have a 6-month overlap between needing to be GDPR compliant (May 2018) and when the UK is no longer part of the EU and, as a consequence, GDPR does not apply any more (January 2019).
Some agencies have suggested that this means they will only need to worry about GDPR compliance for a 6-month period between May 2018 and January 2019. The questions that come to mind around this are:
- What happens if the negotiations take longer than 2 years?
- How will all Public Sector bodies demonstrate GDPR compliance even after the UK has left the EU, given they all hold data on EU citizens?
- To trade with the EU, what form of enhanced data privacy requirements (UK GDPR) will the UK need to have in place?
- After exiting the EU, will UK Public Sector bodies need to cater for 2 different data privacy regulations (GDPR and UK GDPR)?
What data challenges does GDPR create?
I think GDPR creates 4 main data challenges, which are shown below with additional details on why the challenge occurs:
- Finding all the Data on ‘persons’ (i.e. citizens, employees, contractors etc.)
- Data is held in different systems & different formats
- Omni-channel and citizen engagement solutions create data siloes
- Digital Footprints left by using electronic channels needs to be included
- Supporting Subject Access Requests
- Finding ALL data not just most of it
- Data inside & outside the agency
- Visibility of what got missed
- Enacting Consent
- What is allowed to be done with data, and by whom?
- What data elements can or can’t be used?
- Derived data is potentially also included
- The Right to be Forgotten
- Understanding the Right to be Forgotten requirements and constraints
- Understanding how often will this happen will drive decision making
- Manual vs Automated approaches to solving this challenge
- How to report compliance?
Some of these challenges will be extensions to the existing legislation and Public Sector agencies will only need incremental change to support. Others of these challenges are significantly new and represent a need for new thinking and new data oriented solutions.
So what do Public Sector agencies need to start taking action on?
I break this down into 2 distinct areas and call this the ‘Where to start Check list’.
One Check list is for the Business community and one for the Data community. Data Privacy is often managed through the Data/IT functions of an agency, although logically it is more of a business function, so I’ve assumed this sits within the Business community.
Business Check list
|1||Download and review the regulation in detail|
|2||Ensure you engage your legal and data security teams as early as possible|
|3||Identify Executive sponsorship, ownership and measurements|
|4||Identify Partners who can help|
|5||Educate your staff, ecosystem and community|
|6||Communicate with your staff, ecosystem and community frequently|
Data/IT Check list
|1||Undertake a review of your citizen, employee, contractor, volunteer data|
|2||Identify, profile and classify this data|
|3||Model your data landscape|
|4||Create a risk scoring approach and compute method|
|5||Undertake analysis on data proliferation inside and outside the agency|
|6||Look for additional resources for support|
Why start now?
Concern over the timing of the triggering of Article 50, and the length of time for exit negotiations, do not change the need for Public Sector agencies to accelerate their GDPR compliance journey.
So why start now? I think there are 3 reasons:
- The clock is already ticking
- It’s a challenging problem to tackle and which will take time to resolve
- The size of a prospective fine is significant
With agency budgets being squeezed, a good plan for implementation of GDPR solutions will help mitigate financial pressures. The more time agencies give themselves to do this, the more mitigation of the impact can be taken. Here is a link to a recent webinar on GDPR and suggestions on where to get started on this journey.