Written by: Mike McEwan, UK CEO, ICONFIRM.
Due to the nature of the wide range of services and enterprises the public sector encompasses, there is a natural requirement to hold and share a huge amount of personal data. Personal data can refer to anything that identifies a person including photographs, name and date of birth, home address, dependants, racial or ethnic origin, religious belief, health conditions, gender etc.
Public sector organisations often deal with very vulnerable people making it all the more critical that personal information is kept secure. Personal data is regularly shared during the course of normal business and organisations are responsible for the protection of privacy in all cases. It is imperative that policies and procedures are in place for data storing and sharing but unfortunately in a broad sector where bodies are often under-resourced and working under tight budget constraints, these procedures may well be lacking.
The Information Commissioner’s Office (ICO) guidance explains that whilst GDPR for the UK market is an extension of the existing Data Protection Act (1998), there are significant differences and organisations will be subject to more scrutiny as a result of the new regulation. Whilst the public sector is subject to some exceptions over the private sector, the need for compliance is still paramount. Organisations will be held much more accountable for the data they hold and must be able to provide evidence compliance in all transactions with individuals.
Public sector organisations collect and hold vast amounts of data, much of which is of a sensitive nature. However, a common problem which is also relevant to the private sector is the relevance of the data they hold. Often, databases and filing systems are overloaded with mass amounts of outdated and unnecessary information. Organisations need to challenge themselves to identify what the data they hold is for, using the GDPR as an opportunity to clear the backlog. With increased data comes the need for more robust systems to cope with the volume and ensure secure data protection and this is where many organisations fall as legacy technology is often out of date and not equipped to meet the new requirements.
The public sector is subject to some exceptions from the regulation which the private sector is not. For example, the right to be forgotten does not apply to the public sector if it impedes the performance of a task carried out in the public interest of health or safety. However, as GDPR gives much greater control to data subjects allowing individuals greater visibility of their data with the right to access their personal information on request, organisations must be able to meet these requests in a timely manner. All individuals are entitled to make a Subject Access Request (SAR). Put simply, everyone is entitled to access their personal data on request and organisations are obligated to respond to requests within 30 days under GDPR regulations. Public bodies will need to ensure that robust data processing systems are in place to cope with the new rights to the data subject. This will undoubtedly create additional administrative work for all organisations within the public sector. A recent investigation conducted by Bluesource across 30 public sector organisations identified that less than a third had appointed dedicated staff to deal with SARs despite the risk of substantial fines under GDPR should an organisation be deemed in breach of the regulation.
Once compliant, there is, of course, the ongoing management of the GDPR regulations. Public bodies will need to plan and schedule regular risk assessments to identify any weaknesses in data processing systems to ensure the ongoing security of the data. It is imperative that public bodies take the opportunity to identify all people within organisations who ‘touch’ data and ensure they are thoroughly trained and knowledgeable of the changes and of individuals’ increased rights to access. The newly-empowered public will also be able to object to the processing of their data that is claimed to be in the public interest unless the relevant public body can prove that the information is necessary for this purpose.
As part of these stricter requirements, consent must be explicit, and permissions must be easily understood with the minimum use of jargon. The regulation will empower individuals with control over their own personal data whilst also making organisations who deal with personal information more accountable for its security. A common problem within the public sector is that many individuals do not hold a digital footprint, so organisations need to be able to provide consent and consent management in hard copy as well as online. The process should be easy to understand, free of jargon and without the requirement for computer literacy.
As the compliance deadline nears, GDPR appears to be talked about often but rarely understood with a great deal of scaremongering and confusing noise around the regulation. A 2017 YouGov survey identified that as many as 71% of British people do not understand what GDPR is or fully appreciate their rights within the regulation.
To many, GDPR appears to be a logistical nightmare, however, this doesn’t have to be the case. In fact, GDPR can be considered an opportunity to separate valuable data from out-of-date or junk information and spring clean databases making it easier to hold quality over unnecessary quantity data. The new regulation empowers the data subject allowing individuals to control their own information and offering a great opportunity for people to manage what details about them is shared.
Public sector organisations must place their focus on the most important factor, the data subject, whilst also using the opportunity to clear a backlog of unnecessary information and provide a better, trusting and more secure service to the public. There is no doubt this will be a challenge and organisations will need to consider resourcing levels, legacy technology, training and overall procedures as part of the process.
Mike McEwan is the UK CEO of SaaS-based GDPR solution, ICONFIRM. Prior to joining ICONFIRM, Mike enjoyed a long and successful career in Director and C-level commercial positions within the MedTech sector. Mike’s focus areas included the developments of digitalisation in healthcare, telemedicine, patient data collection/mining for managing chronic diseases.