The UK government has finally fully committed to adopting the General Data Protection Regulation, but there remains confusion over how it will differ from the existing Data Protection Act.
The European Union regulation comes into effect on 25 May 2018 and will bring with it not just new obligations but also the potential of hefty fines, so it’s important that public sector bodies understand how it will differ from the DPA.
The Information Commissioner’s Office is taking its lead from the Article 29 Working Party – made up of data protection agencies from each EU member state – when it comes to publishing guidance, and there has already been information published on data portability, lead supervisory authorities and data protection officers.
On top of these, the ICO intends to include its own guidance on contracts and liability and also consent, revealing that the GDPR will be tweaked to fit in with UK law, and there are also plans to address the application of GDPR to big data and machine learning.
What’s the difference?
There are some crucial areas that will require the public sector’s attention when it comes to demonstrating accountability.
Organisations will need to implement technical and organisational measures, document processing activities and appoint a Data Protection Officer – although this latter point is not as onerous as it sounds. They can be an existing employee, provided there is no conflict of interest, or a single person can be appointed to act for a group of public authorities.
Their tasks are defined in Article 39 and broadly speaking include ensuring compliance with the GDPR and other data protection laws, advising on DPIAs, training staff, carrying out internal audits and acting as the first point of contact for supervisory authorities and individuals.
Meanwhile, public sector bodies will also need to show evidence of implementation of ‘data protection by design’ and ‘data protection by default’, and use Data Privacy Impact Assessments when using new technologies or if processing presents a high risk to the rights and freedoms of individuals.
These impact assessments, which although championed by the ICO were not obligatory under the DPA, aim to help organisations identity and fix problems at an early stage to reduce costs and reputational damage.
Internal record keeping on processing activities will also become a necessity for all organisations larger than 250 employees, while organisations of any size will need to do this if they process personal data that represents a higher risk.
Costs of individual rights
At the heart of the GDPR is an increased attention to the rights of the individual, which sets it apart from the DPA – and brings with it some potentially costly implications for the public sector.
Once the regulation becomes law, individuals will have greater rights to request access to data – and organisations will no longer have the right to charge for this (unlike under the DPA when a £10 fee could be levied). Moreover such requests must be satisfied within one month.
"At the heart is an increased attention to the rights of the individual"
Handling such access requests could prove highly costly for public sector authorities in terms of the time and resource needed.
The guidance suggests self-service access to data might be a solution to handling these requests, and so this functionality is something digital teams might want to consider building into their digital services.
This is especially the case for departments that have automated decision-making processes, such as those handling grants or awards applications. Under the GDPR these processes must give the individual the right to object at the first point of contact, as well as being able to do so online.
Individual rights are further extended under the GDPR with the ‘right to be forgotten’ – now dubbed the ‘right to erasure’. The DPA stipulated that this only applied if data caused “unwarranted or substantial damage or distress”, but the GDPR removes that caveat completely.
Here, the public sector does have some room for manoeuvre: if holding this data is deemed to be in the public interest or for public health purposes the request can be refused.
In addition, individuals also have the right to have data rectified. Inaccurate or incomplete data must again be corrected within a month.
Data management plans
Another big challenge for the public sector could be data portability rules, which essentially requires the organisation to ensure that data is provided in a structured, commonly used and machine readable form, again free of charge and within a month.
This means that organisations must use open formats such as CSV files so that data can be read by other organisations. For the public sector this is in keeping with the adoption of open standards and should hopefully add more impetus to the move away from legacy software.
The GDPR also mandates that organisations comply with some aspect of data handling that were only advised under the DPA. This will make it more vital than ever that organisations can demonstrate evidence of compliance through documented procedures.
Because of this, it is expected that certification programs relevant to specific industries will emerge to help organisations demonstrate compliance.
"Data portability rules should add more impetus to the move away from legacy software"
But until then, the impetus is on data processors and data controllers to carry out this due diligence and ensure their data handling processes are set up for reporting and reactive enough to defend individual rights.
Finally, there’s the issue of breach notification. The GDPR will compel organisations to report only some types of breaches to the ICO, and only to affected individuals in some cases.
Reporting needs to occur when a breach is likely to risk the rights and freedoms of individuals and must be carried out within 72 hours of the organisation becoming aware of it, although this can happen in phases if the investigation takes time.
The exception is that if the breach affects the public at large, case disclosure has to happen “without delay”. The GDPR also fixes a fine for failing to notify a breach at €10m, making it imperative that public sector bodies ensure they have internal breach reporting procedures in place.
The GDPR will surely cause public sector bodies some organisationstional headaches in the coming months, but the new regulation should also usher in beneficial changes – from a shift away from legacy systems, to a better understanding of information management.
And those public servants working in digital and data teams across government can lead the way in helping their organisations adapt by helping align processes and access channels.