What does GDPR mean for the Public Sector?

The GDPR deadline in May 2018 is looming fast, there are many aspects to this new legislation, which means getting your head around it is the biggest challenge. It’s been 20 years since the last EU data protection law, and in that time technology has come a long way, which has challenged the way we handle data and how quickly it can be shared or stolen.

We recently sponsored the GDPR in the Public Sector conference in Manchester. We had some great conversations and really started to understand the strains that organisations are facing in the public sector when it comes to the new GDPR legislation. In each industry this is going to be different, so we thought we’d share with you what we think is most important for your industry.

GDPR in Education

The education sector holds all its student records across many different systems. Consolidating this data will be a big task. One of the biggest risks to mitigate will be holding data without legal reason or consent, particularly for old data. A new process may have to be put in place to demonstrate how people have given their consent for keeping their data. The most important aspect of GDPR in the education industry is the safeguarding of children. In the GDPR document, children are set out as ‘vulnerable individuals’ who need ‘special protection’. This duty now falls firmly in the hands of education establishments and the need to get this right is more important than ever.

GDPR in the NHS

The NHS holds highly confidential information, which means the way they handle data is critical. The recent cyber breach in the NHS showed just how dangerous it is when their systems are breached, thousands of operations were cancelled, ambulances had to be diverted and GPs couldn’t access patient data as the whole system had to be shut down. The biggest problem within the NHS is that patient’s data needs to be available and accessible to be helpful, and therefore many different people need access to this data. The most important thing for the NHS is to introduce new processes in order to maintain security and prevent further breaches occurring, minimise the impact of any data breach and to make sure everyone involved knows exactly what to do if there is a breach. Organisations will now have 72 hours to report a breach they are aware of, if not they could face huge fines of up to £2million.

GDPR in Local Government

The biggest challenge for local authorities is the many different purposes for processing data and therefore the need to get separate consent for each purpose. Bundling consent will render the consent to be invalid and could result in fines. Processes will have to be reviewed and changed within local authorities, including the audit trail for the provision of consent. Regulators will place a greater responsibility on being able to demonstrate that consent was given. There is also the change in the time limit to respond to a subject request, from 40 days to one month. Councils and local authorities will need to consider where time can be saved to comply with this new time limit.

Rising to the challenge

With just 6 months left to implement all the necessary changes, it’s no wonder GDPR is on everyone’s mind, but this isn’t a bad thing. The more we talk and understand what is needed to comply with this new law, the more we raise the awareness about obligations, risks and what happens if data breaches are to happen after May 2018. Complying fully by the deadline will be a challenge for every organisation in the public sector as the volume of data is giant, but the sooner organisations start the better. The first steps to take are to appoint a Data Protection Officer and identify and categorise the personal data they hold. From here you can identify the compliance gap that needs to be addressed and any actions to complete. As a result of this, it is likely there will need to be a review of policies and procedures to ensure your organisation is compliant in time for 25th May 2018.

As the public sector digitises, GDPR should help keep the protection of personal information at the heart of data management. While these organisations need to act for the public good, they also need to balance this with the needs of the individual.

posted on & filed under Events, Governance News, Regulation and Compliance.