The search for sustainable data privacy compliance in the public sector: challenges and developments two years on from GDPR implementation.

Current state of data privacy management in the public sector

Due to the nature of the wide range of services and enterprises the public sector encompasses, organisations hold and share a huge amount of personal data and must control how it is used responsibly and in a cost effective way.

As personal data is integral to the provision of services, public sector organisations have a duty of care to protect the privacy of citizens, colleagues and persons in partner organisations, as part of their wellbeing. As these same organisations often deal with very vulnerable people and sensitive information describing them, it is especially critical that personal information is kept secure.

While it is true that the public sector is subject to some exceptions from the regulation (e.g. the right to be forgotten does not apply to the public sector if it impedes the performance of a task carried out in the public interest of health or safety); GDPR and the UK Data Protection Act promotes rights for the data subject to have greater visibility and more control over their personal data. This is achieved through rights to access their personal information on request, and all organisations must be able to meet each request in a timely manner.

In short, it is imperative that public sector bodies maintain policies and procedures for storing data so that it can be found and managed in accordance with the data subjects’ rights. To highlight difficulties in achieving this, an investigation conducted by Bluesource in 2018 across 30 public sector organisations found that less than a third had appointed dedicated staff to deal with Subject Access Requests.

Ensuring compliance is key

The fines where an organisation is deemed to be in breach of the regulation have been substantially increased, up to €20 million (or equivalent in sterling) or 4% of annual global turnover (whichever is larger) can be issued for a violation.

A recent blog by Tessian, the email security company, highlighted that the risk of incurring a GDPR-related fine is increasing.

As of October 2020, over 220 fines had been handed out for GDPR violations in 2020. Based on trends from the last 24 months, Tessian expects this number to continue rising. Key numbers Tessian used to emphasis these findings included:

  • Over 220 fines handed out for GDPR violations in the first ten months of 2020
  • Total amount of fines issued so far in 2020 exceeds €175 million
  • Between 2018 and 2019, the average number of fines issued per month increased by 260%
  • July 2020 saw 45 fines, the highest number issued in a single month since GDPR was introduced
  • Misdirected emails have been the primary cause of data loss reported to the Information Commissioner’s Office (ICO)

Between July 2018 and June 2019, an average of 5 fines were handed out each month. But, between July 2019 and June 2020, an average of 18 fines were handed each month – a 260% increase. And, with 45 fines issued for non-compliance in October 2020 alone, it’s clear that the supervisory bodies take information security and compliance very seriously. But, do organizations? Maybe not enough yet…

Tessian then referenced research that indicates only 20% of US, UK, and EU companies are fully GDPR compliant and – worse still – 30% of companies have yet to even start their GDPR compliance initiatives.

Against this backdrop, it is unfortunate that in the public sector, where bodies are often under resourced and working under tight budget constraints, the necessary resources and procedures for GDPR implementation and operation may well be lacking.

If this was not an already sufficiently challenging situation, the public sector is increasingly at risk to cyber-attacks which put private data at risk and results in public bodies picking up the subsequent fines handed out. Since 2010 54% of fines handed out by the ICO for data breaches have been levied against organisations within the public sector, with local councils receiving 30 fines alone[i]. The recent cyber attack on Hackney Council exemplifies this problem, where key services and IT systems were targeted and the council is now scrambling to protect the data of residents, while recently a similar attack was made on Redcar and Cleveland Borough Council[ii].

Indeed, two years on from the GDPR regulations going live, many public sector organisations are recognising that due to changing personnel and fluctuating levels of organisational knowledge, their initial GDPR implementation was either incomplete and/or based on manual documentation of processes, data privacy impact assessments and registers of processing activities that are difficult to keep up to date.

This has made these systems ineffective and inefficient at both maintaining controls around the use of personal data, and managing service data subject requests in a sustainable manner.

What’s happened to data privacy management in your organisation?

What would you say is the current state of data privacy capability in your organisation? Which of these four questions are you contemplating today:

Since the GDPR compliance deadline of May 2018, we haven’t had any significant issues or given it much thought. I wonder if we’re still compliant, or managing our risks sufficiently?

We are being responsible with personal data and taking care of our obligations, but the workload is becoming time consuming and onerous. How can we streamline and simplify our data privacy management to reduce the cost burden to our organisation?

We know we have some gaps in our GDPR processes and in the coverage of our security controls. How quickly and cost effectively can we complete our data privacy processes and procedures?

We may be/are expecting to have our Data Privacy capabilities audited soon, can we demonstrate compliance and prevent regulatory fines and reputational risks?

What should you do now?

With daily life slowly returning to something like normal as the worst disruptions of the Covid-19 pandemic start to ease, it is the right time for public sector bodies to review, assess, evaluate, remediate and automate their existing GDPR Data Privacy processes and procedures against the lens of their operational performance to date, the cyber security challenge, the enduring regulatory control environment and the lessons learnt across the public sector and industry more widely.

The implications and risks of not doing so have never been greater!