Should the UK Public Sector prioritise refreshing its GDPR compliance performance in 2021?

Due to the nature of the wide range of services and enterprises the public sector encompasses, organisations hold and share a huge amount of personal data and must control how it is used responsibly and in a cost effective way.

As personal data is integral to the provision of services, public sector organisations have a duty of care to protect the privacy of citizens, colleagues and persons in partner organisations, as part of their wellbeing. As these same organisations often deal with very vulnerable people and sensitive information describing them, it is especially critical that personal information is kept secure.

While it is true that the public sector is subject to some exceptions from the regulation (e.g. the right to be forgotten does not apply to the public sector if it impedes the performance of a task carried out in the public interest of health or safety); GDPR and the UK Data Protection Act promotes rights for the data subject to have greater visibility and more control over their personal data. This is achieved through rights to access their personal information on request, and all organisations must be able to meet each request in a timely manner.

In short, it is imperative that public sector bodies maintain policies and procedures for storing data so that it can be found and managed in accordance with the data subjects’ rights. To highlight difficulties in achieving this, an investigation conducted by Bluesource in 2018 across 30 public sector organisations found that less than a third had appointed dedicated staff to deal with Subject Access Requests.

The fines where an organisation is deemed to be in breach of the regulation have been substantially increased, up to €20 million (or equivalent in sterling) or 4% of annual global turnover (whichever is larger) can be issued for a violation.

Against this backdrop, it is unfortunate that in the public sector, where bodies are often under resourced and working under tight budget constraints, the necessary resources and procedures for GDPR implementation and operation may well be lacking.

If this was not an already sufficiently challenging situation, the public sector is increasingly at risk to cyber-attacks which put private data at risk and results in public bodies picking up the subsequent fines handed out. Since 2010 54% of fines handed out by the ICO for data breaches have been levied against organisations within the public sector, with local councils receiving 30 fines alone^[i]. The recent cyber attack on Hackney Council exemplifies this problem, where key services and IT systems were targeted and the council is now scrambling to protect the data of residents, while recently a similar attack was made on Redcar and Cleveland Borough Council^[ii].

Indeed, two years on from the GDPR regulations going live, many public sector organisations are recognising that due to changing personnel and fluctuating levels of organisational knowledge, their initial GDPR implementation was either incomplete and/or based on manual documentation of processes, data privacy impact assessments and registers of processing activities that are difficult to keep up to date.

This has made these systems ineffective and inefficient at both maintaining controls around the use of personal data, and managing service data subject requests in a sustainable manner.

What would you say is the current state of data privacy capability in your organisation? Which of these four questions are you contemplating today: