The EU GDPR and the new Data Protection Bill – putting the public sector under greater scrutiny

With the new Data Protection Act and the EU GDPR (pre-Brexit) on the horizon, organisations will need to work out how they meet the requirements while balancing the needs of their business. In this blog, Elliot Rose, GDPR and digital trust expert at PA Consulting Group, takes a closer look at the new requirements, what organisations need to consider, and how to get started.

The recent announcement from the UK Government that they will largely follow the EU General Data Protection Regulation (GDPR), with the new Data Protection Bill, when the UK leaves the EU has widely been anticipated. UK organisations, including the public sector, will face a £17 million fine if they fail to protect against personal data breaches or 4% of their turnover. As one of the firms who participated in the planned reforms and who is already helping a number of organisations implement the GDPR, we believe such reforms are good for UK citizens and if implemented in the right way by UK industry, good for the UK as a whole.

All public sector organisations have a fiduciary duty to understand and comply with the new Data Protection Bill (and the GDPR, prior to Brexit), just as they had to do so with the old Data Protection Act. However, the new Bill will be a ‘game changer’.

As reported by Information Age, the Information Commissioner’s Office (ICO) shows that UK healthcare organisations accounted for 43 per cent of all reported data security incidents in the last three years, while central and local government made up 11 per cent. In 2016, the National Audit Office (NAO) found that the 17 largest government departments recorded 8,995 data breaches in 2014-15. Only 14 of those were reported to the ICO (and of course each one could have led to a £17m fine and unwelcome scrutiny. But under the GDPR, all organisations have a responsibility to report all personal data breaches within 72 hours to the ICO.

Many public sector organisations hold and process large amounts of sensitive personal information, including names, addresses, financial data, contact/historical records etc. Through the need to reduce costs and improve public service, many organisations have outsourced their data management and processing. Under the GDPR such third-party contractors are equally liable, along with the customer organisation. You simply cannot contract out your liabilities for the management of sensitive personal information.

The new Data Protection Bill will provide the UK with one of the most robust, yet dynamic, set of data laws in the world. It will include the public sector and will help safe guard essential services such as water, energy, transport and health firms. It will also require public sector organisations to show they have an data strategy to cover power failures and environmental disasters.

Whilst the Minister of State for Digital, Matt Hancock, has stated that any fines would be a last resort and that fines will not apply to firms which had put safeguards in place but still suffered an attack, one of the key challenges we see in the implementation of the existing GDPR is knowing what is ‘adequate’ in terms of safeguards. Under the existing GDPR framework there are still a number of grey areas, such as how much encryption technology you should use. We have already seen some drastic measures, such as the deletion of entire customer data, which can obviously have a very negative impact on any organisation. We have worked with a number of organisations to help them take a balanced approach to make a risk-based decision around the controls required. In our experience, public sector organisations need to work with both legal and their operational functions to make sure that the implementation of the new Data Protection Bill (and the GDPR prior to Brexit) balances the needs of the business with the that of data protection.  Specifically the three key considerations are:

  1. Identify where personal information about your citizens and employees is stored, both within and outside with suppliers, and the controls and protection place today
  2. Make sure you have the governance in place ie an officer responsible for information, a Data Protection Officer etc. and that the authority is registered with the ICO as required by the current DPA
  3. Revisit the transparency arrangements you should already have in place for releasing and publishing information to the public and make sure these are adequate under GDPR.

By Elliot Rose, Digital Trust and Cyber Security Expert at PA Consulting Group.


Security level: Public

More Blog Entries

Sponsored Feature: Simplifying procurement for enforcement services

Setting up a formal procurement exercise for a new enforcement agent contract can be time...

Featured blog: What do we want the police to do? It’s time for an honest debate

The police might be forgiven for thinking that parts of the press have it in for them. First The...


Jonathan Norman 3 Years Ago

I have a nasty feeling that GDPR is going to sneak in under the radar for many organizations, which will be a big shock to the system.

Tushara Kodikara 3 Years Ago - Edited

'UK organisations, including the public sector, will face a £17 million fine if they fail to protect against personal data breaches or 4% of their turnover.' A bit of scaremongering here! Fines are up to, not will be.

Peter Grogan 3 Years ago in reply to Tushara Kodikara .

Indeed, in fact the ICO has been clear that fines will be relevant and proportionate and take into account the organisations ability to pay. I don't think the ICO will be in the business of bankrupting NHS Trusts or Local Authorities, as Central Government will be forced to bail them out. I suspect fines will remain at approximately the same level as those previously imposed on the public sector to date. We await the passing of the UK DP Act and those first key ICO decision notices...........

Tushara Kodikara 3 Years ago in reply to Peter Grogan .

Exactly, even if the fines go back into the government’s coffers, ICO still won’t want to bankrupt the public sector.

Tim Burkinshaw 3 Years Ago

I was hoping to read some specific examples here of what changes are expected. Such as:

- For existing lists of contact details (eg mailchimp email list of subscribers to our Biodiversity Partnership), what do I need to inform them and what questions do they need to agree to if they continue to be on the mailing list?

- How will data protection apply differently to Social Media contact details, eg a twitter handle is already in public domain but as soon as I write that down in a list of contacts and store it in a file does it become liable to DPA or GDPR rules?

Nigel Dexter 3 Years ago in reply to Tim Burkinshaw .

Tim, for existing lists, if the use is in compliance with the GDPR and you don't expect that use to change, then there's little more to do, apart from, perhaps as a courtesy note to advise them of the GDPR and their rights etc.  This can be done as part of your usual correspondence/messaging.  I take it there's no direct marketing or reselling of their contact details?  If so, the forthcoming e-Privacy Regulation is the one to watch!   

In answer to your second Q - YES.  A 'blog post' would be created by an individual (unless working on behalf of a commercial concern), for 'domestic purposes'.  As soon as a data controller records it and makes further use of it, they would need a separate lawful purpose to do so because they could not claim the 'domestic' purpose.

Gareth Ricketts 2 Years Ago

GDPR is unfortunately being viewed mainly in conjunction with cyber-security, therefore rather than taking Elliot's approach of reviewing data/information holistically, and involving all staff, managers are looking for "technical silver bullet". I have been reviewing various websites including the ICO's 12-step guidance, and the only pragmatic info I gained was through Des Ward at Innopsis (latterly the PSN governing board)