Implementing an effective compliance strategy is a key priority for organisations across every sector. By ensuring effective measures are in place, companies can protect themselves against significant fines and the reputational damage that typically ensues following a compliance breach.
However, with new data protection policies coming into force in May 2018, the pressure is likely to intensify as organisations work to identify the new policies and processes that are required in order to comply. Just this month (August), the Government confirmed its intention to write the legislation into law in the form of a new Data Protection Bill – a move that will upgrade the UK’s privacy laws making them fit for purpose for the digital age.
With less than 12 months to the introduction of the General Data Protection Regulation (GDPR), Idox Compliance takes a look at its likely impact on public sector organisations specifically, how it differs from the Data Protection Act and whether Brexit will influence its integration into UK law.
Organisations can also register their interest for our webinar on 5 October at 10am (GMT), designed to help those working in both the public and private sectors prepare for the new regulations, via the link at the bottom of this article.
Preparing for GDPR
In March, the Information Commissioner’s Office (ICO) published the results of a survey into local government information governance as part of their preparations for the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018.
Although the ICO notes that many local authorities have good data protection policies, there are still councils where work needs to be done. The survey findings include:
- A third of councils do not undertake Privacy Impact Assessments (PIAs)
- 26% of councils do not have a data protection officer
- 50% do not require data protection training before accessing systems
Under the new GDPR, the above findings could constitute a breach, and result in the ICO taking action against the offending council. Recently, the ICO fined a county council £60,000 (under the Data Protection Act) for failing to dispose of social work case files appropriately.
What impact will Brexit have on the GDPR?
The UK Government has finally triggered article 50 of the Lisbon Treaty, starting the process for leaving the European Union (EU). However, this does not mean that the UK will escape the European Commission’s GDPR. Digital minister, Matt Hancock, has confirmed that it is in the UK’s best interests to ensure the ‘uninterrupted and unhindered flow of data’, stating that the GDPR would be fully implemented into UK law, even after its departure from the EU.
Is the public sector exempt from the GDPR?
There have been reports that some public sector bodies believe they are exempt from the GDPR. This assumption is based on the regulation’s special conditions and derogations, which allow member states to restrict the GDPR’s scope to safeguard the public interest (some countries, such as Denmark, already have exemptions for public sector bodies). Additionally, fining a public sector body has also been viewed as making little sense – taking from one public sector budget and placing it in another.
However, both of these assumptions are flawed. As the GDPR has been designed to enhance the rights of EU citizens, it would be against the spirit of the regulation to introduce blanket exemptions for the public sector. And it is certainly not unheard of for regulators to fine public bodies for neglecting to take care of sensitive information in an appropriate way.
How does the GDPR differ from the Data Protection Act?
The GDPR has been described as ‘the most important change in data privacy regulation in 20 years’, providing greater rights to citizens and harmonising data privacy laws across Europe. However, to achieve this, new requirements have been placed on organisations. These include:
- Personal data – Article 4(1) of the GDPR includes a broader definition of ‘personal data’ than previous legislation. It states that any information relating to an individual which can be directly or indirectly used to identify them is personal data. Specifically, it refers to ‘online identifiers’, which suggests that IP addresses and cookies may be considered personal data if they can be easily linked back to the person.
- Privacy by design – The concept of ‘privacy by design’ is not new, but Article 23 of the GDPR makes this a legal requirement. In essence, it means that public sector bodies will have to consider data protection at the initial design stage of product development. This could involve adopting technical measures such as pseudonymisation – the technique of processing personal data in such a way that it can no longer identify a particular person.
- Data Protection Impact Assessments (DPIAs) – As the ICO’s research highlights, a third of councils do not undertake any form of privacy impact assessment. From May 2018, public sector organisations will have to carry out DPIAs for certain activities such as introducing new technologies and when processing presents a high risk to the rights and freedoms of individuals. In the latter case, organisations will need to consult the ICO to confirm they comply with the GDPR.
- Appointment of a Data Protection Officer (DPO) – Article 35 of the GDPR states that public bodies must have a designated Data Protection Officer. This can be an existing employee, as long as there is no conflict of interest, or a single DPO can represent a group of public sector bodies. As the ICO research suggests (26% of councils do not have a DPO), this is one of the main areas where councils need to improve.
- Data portability– Public sector organisations must ensure that personal data is stored in a ‘structured, commonly used and machine readable form’, so that individuals can transfer data easily to other organisations. For instance, suitable formats would include CSV files.
- Strengthening subject access rights– Individuals can now request access to their data for no cost and must be responded to within 30 days (this is a change from the Data Protection Act which requires a £10 fee and a 40-day response time). For complex cases, this can be extended by two months. However, individuals must be notified within one month and be provided with an explanation. These requests could prove time consuming and costly for public sector bodies, and as such, supports the case for introducing digital services that allow individuals access to their data.
- Right to be forgotten – The right to erasure (its official name) allows individuals to ask an organisation to delete all the information held on them – although this would not apply if there was a valid reason to hold that data. This principle was established in the high-profile case involving technology giant Google.
- Failing to comply and breaching the GDPR – When there is a breach, public sector bodies will have an obligation to inform their national regulator (the ICO in England) ‘without undue delay and, where feasible, not later than 72 hours after having become aware of it.’ These requirements could present challenges for public sector bodies, who are often engaged in providing vital public services with limited resources. However, policies will have to be introduced to ensure breaches can be reported promptly, particularly as the new penalties for data breaches are significant, with public sector bodies liable for fines of up to €10,000,000. In addition, individuals also have the right of redress and may seek compensation if they feel their rights have been breached.
What should public sector bodies be focusing on?
Although May 2018 may seem a long time away, the ICO research suggests some local councils (and the wider public sector) need to make several changes to ensure compliance with the GDPR.
While many organisations have already started to make significant strides in their Data Protection initiatives, time is almost running out before the GDPR comes into effect. Evidence of a clear strategy – including the appointment of a Data Protection Officer, the use of privacy impact assessments, and staff training – will go a long way towards demonstrating an organisation’s intent to comply with the GDPR.
In order to support these preparations, Idox Compliance will be hosting a webinar on 5 October at 10am (GMT), with the aim of raising awareness of the new regulations and helping organisations to comply. For more information and to sign up, please click here.