GDPR: the challenge to the public sector

GDPR: the challenge to the public sector

public sector organisations such as local authorities need to address GDPR

Teiss Head of Training and Consulting, Jeremy Swinfen Green, considers the impact of GDPR on the public sector.

The public sector is struggling to meet the requirements of the GDPR.

With less than 9 months to the 25 May deadline, research from M-Files shows that 82% of UK boroughs have not yet allocated budget for implementing GDPR provisions. And 56% of all boroughs have not yet appointed a Data Protection Officer (DPO). This despite the fact that public authorities are required by the GDPR to have a DPO.

See also: Does Brexit make the GDPR irrelevant?

Lawful processing and the public sector

Local Authorities are unlikely to be relying on an individual’s consent as a reason to process data. And under GDPR, will be unable to rely on “legitimate interest”. Instead they will use the “the exercise of official authority” as the reason.

However, that won’t mean they can hang on to your personal data for ever. Once they have no reason to exercise official authority (perhaps because you have moved to another Borough) they will have to delete much (although not all) of the information they hold about you.

See also: Why the new data protection Bill isn't the GDPR

The right to be forgotten

They may well have a problem doing so. The same research from M Files shows that 69 per cent of local authorities are not able to effectively remove personal data from their systems.

Julian Cook, Vice President of UK Business at M-Files, warns that “The right-to-be-forgotten is arguably one of the most challenging aspects of GDPR... This is particularly true for the public sector, where this data is commonly trapped within information siloes and duplicated across different systems and repositories.

“The net result is that public sector organisations often don’t have a full picture of the data on their systems, so completely erasing personal data becomes infinitely more challenging.”

These findings back up research from Kyocera earlier this year that found that only 59 per cent of public sector organisations are aware of the implications GDPR will have on their organisation.

The challenge of GDPR

GDPR throws up some major challenges for the public sector.

The first is probably the technical difficulty of identifying what personal data is held across complex organisations that may be very siloed. The use of data back-ups, and especially back-ups in shared cloud platforms, makes this even more tricky.

The second problem is cultural, persuading bureaucrats who are used to collecting and keeping data on citizens that this may be inappropriate and in the future may be illegal.

The EU has already come to blows with the UK’s educational establishment over the use of biometrics in schools. It is quite possible that the EU will revisit this issue once GDPR becomes active, given the specific inclusion of biometric data under the GDPR.

This cultural problem will only ever be addressed if leaders in the public sector take ownership of data privacy and demonstrate that they are taking this issue seriously.

But they can’t do this alone: they need to be supported by clear and readable policy documents, adequate training, awareness campaigns, and cultural change programmes.

That is a big ask for any public body, especially when purse strings are ever tighter. But, for both legal and ethical reasons, data privacy in the public sector is something that has to be addressed.


Teiss cyber security provide training and consulting on GDPR in the public sector. To find out more email jeremy@www.teiss.co.uk.

Image of Manchester Town Hall courtesy of Thinkstockphotos.co.uk, copyright GoldStock

Copyright Lyonsdown Limited 2021

Top Articles

It’s time to upgrade the supply chain attack rule book

How can infosec professionals critically reassess how they detect and quickly prevent inevitable supply chain attacks?

Driving eCommerce growth across Africa

Fraud prevention company Forter has partnered with payments technology provider Flutterwave to drive eCommerce growth across Africa and beyond.

Over 500,000 Huawei phones found infected with Joker malware

The Joker malware infiltrated over 500,000 Huawei phones via ten apps using which the malware communicates with a command and control server.

Related Articles