The Impact of Data Protection (GDPR) on the Public Sector

Piers Kelly

The General Data Protection Regulation (GDPR) came into effect in 2018 and the public sector had to quickly pivot to adapt to the new world of data privacy and protection.

This article will consider the impacts GDPR has had on public sector organisations, providing real-life examples of ongoing challenges and how organisations have overcome them. Here’s what we’ll cover:

  1. The Most Important GDPR Changes for the Public Sector
  2. GDPR Challenges Faced by the Public Sector
  3. Has GDPR Been a Success in the Public Sector?

The Most Important GDPR Changes for the Public Sector

Several provisions are specifically relevant for the public sector and have resulted in the way that organisations operate. These include:

  • Appointing a Data Protection Officer
  • Understanding Legitimate Interest as Grounds for Processing
  • Consent for International Data Transfers

Appointing a Data Protection Officer (DPO)

It has become a duty for you to appoint a DPO if you’re a public authority or body or if you carry out certain types of processing activities.

DPOs assist in monitoring internal compliance, offering guidance on data protection obligations, providing advice regarding Data Protection Impact and Assessments and acting as a contact point for any data subjects your organisation is involved in.

Your DPO must be independent and an expert in data protection. In some cases, several organisations can appoint a single DPO to offer an enhanced focus on accountability. 

Understanding Legitimate Interest as a Grounds for Processing

GDPR restricts the public authorities from using Legitimate Interest as legal grounds for processing personal data. This means public authorities must find another legal basis if Legitimate Interest is currently relied on.

If organisations choose to use this condition in practice, they must thoroughly justify why in their documentation. The DPO has a vital role to play here.

Some examples of legitimate interest processing types include fraud prevention, network security and indicating possible criminal acts that could threaten public safety.

Consent for International Data Transfers

Consent is another legal ground for processing with restrictions for the public sector. The GDPR allows a data transfer based on the data subject’s consent, but public sector organisations can rarely use this exemption.

Brexit hasn’t had much impact on the continuation of data flowing from the UK to the EU. However, certain countries are subject to transfer rules.

It is the role of your DPO to have a firm understanding of international data transfers and the impact they can have on your organisation if the rules aren’t followed accordingly.

GDPR Challenges Faced by the Public Sector

Most public sector organisations offer a wide range of services. This means they usually hold and share extensive amounts of personal data and must control how it’s used responsibly.  Data is crucial to how public sector organisations deliver services for citizens, improve their systems and processes and make better decisions. 

However, research has found that there’s a lack of trust when it comes to data management in the public sector, particularly in government.

This level of distrust has been heightened since GDPR laws came into play — meaning public sector organisations have had to think of new initiatives to rebuild trust among UK citizens.

The public sector is also still facing ongoing challenges around classifying data according to the exemptions laid out by GDPR. A lot of work has had to go into aligning policies and with corresponding Union and national laws.

It has also meant that many public sector organisations have had to invest in updating their security solutions. This has proven difficult during the pandemic when budgets have been tight and the economy has faced a troubling period.

Has GDPR Been a Success in the Public Sector?

Once public sector leaders can overcome the challenges related to IT infrastructure, there are many benefits it can provide to an organisation. Some of these include:

According to a two-year process report commissioned in 2020, GDPR has been assessed as an overall success in meeting expectations and objectives. Yet, more time is needed to smooth out some issues identified. GDPR is contributing to more trustworthy innovation through risk-based approaches.

It also played a key role during the height of the pandemic, when more people were working from home and the element of risk when it came to sharing information increased.

Although deemed a success, the UK government has announced it intends to consult on a new, post-Brexit data protection regime. This means they’ll potentially move away from the UK General Data Protection Regulation that underpins the current data protection legislation.

Are You Looking to Stay in the Know About Public Sector Data and Cyber Security?

Join us at DigiGov Expo 2024

Taking place on the 8th-9th May at the Excel in London DigiGov Expo will enable you to:

  • Meet and network with 2,400+ fellow public sector tech professionals across the two days.
  • Learn from 150+ exhibitors who are on the frontline of providing technological solutions to public sector challenges
  • Hear from key figures including Sue Bateman – CDDO, Keith Dargie - Crown Office and Procurator Fiscal Service, Lord Francis Maude, Daljit Rehal – HMRC and many others including representatives from the Alan Turing Institute, Cabinet Office Digital, the ICO, Innovate UK, the NAO and many more across 4 theatres
  • Forecast future tech trends with a clear and progressive roadmap of what’s to come

New call-to-action