With less than six months until new data-protection law is introduced, PublicTechnology hears from regulators and data professionals across central and local government about what they see as the major challenges facing them between now and 25 May
With the implementation of the EU General Data Protection Regulation now less than six months away, time is running out for public-sector bodies to find answers to any questions they might still have about the incoming law, and their compliance obligations.
The recent Implementing the GDPR in the Public Sector Summit, hosted in London by PublicTechnology parent company Dods, gathered together several hundred data, legal, and digital professionals in a bid to address any remaining uncertainties about what the regulation means for the public sector. Here are some of the major questions that were answered – and one that has yet to be.
1) Will Brexit render GDPR irrelevant?
Given that GDPR comes into effect less than a year before the UK’s scheduled exit from the European Union, some might be tempted to think the regulation is a legislative lame duck. But, with the proposed Data Protection Bill, the government has effectively taken provisions to sign GDPR into UK law – and introduce some additional data-protection measures, to boot.
Jonathan Bamford, head of parliamentary and government affairs at the Information Commissioner’s Office, said: “If any of you think this is wasted effort because we are leaving the EU – the government has made very clear these standards are not going to go away. They are worth investing in. We had data-protection laws in the UK 10 years before the EU."
2) What’s happening with the Data Protection Bill?
The Data Protection Bill is currently going through the House of Lords, and has successfully negotiated its first and second reading, and the committee stage. Today, it goes through the report stage, before moving onto a third reading, the fifth and final phase of its journey through parliament’s upper house.
Thereafter it will go through the same five stages in the House of Commons before, finally – and hopefully – attaining Royal Assent and becoming law. The ICO’s Bamford said that he is confident the Bill will make it through relatively unscathed.
He said: “There is a lot to do. But I am hopeful that it will go through. It is all in the detail.”
3) Whom should you appoint as data-protection officer?
One of the key requirements for public sector bodies introduced by GDPR is the appointment of a designated data-protection officer.
When considering whom to appoint to this important role, Bamford said that, as far as his organisation is concerned, a person’s experience is more important than letters after their name.
“We are less concerned about the minutiae, and more concerned with what the measures achieve. We want people with suitable experience,” he said.
The ICO government chief also said that the stipulation that the data-protection officer reports directly to an organisation’s board “does not necessarily mean a direct reporting line – it could be providing monthly or six-weekly reports”.
Whoever they appoint, organisations should make sure their new data-protection leaders are backed with sufficient resources.
“[You should] have a team to support data-protection officers,” he said.
4) How will data subjects react to the introduction of GDPR?
The implementation of GDPR provides citizens with a number of additional rights in respect of access to information on what data about them is held, and how it is processed. These include the right to obtain information on how long data is stored for, whether they have the right to request erasure or otherwise object to their data being processed, justification for automated processing procedures, and additional information on data sources.
Paul Woods, head of library services operations at the Government Legal Department, said that public bodies should be ready for something of a “rush” of requests for information, but that it is unlikely to unmanageable.
“I remember when FOI was introduced, a large number of requests were received immediately,” he said. “It is quite possible that people will try and exercise their [GDPR] rights in that way. So, organisations need to be prepared for a slight increase in requests – but I do not think it will be explosive.”
He added: “We have to be able to demonstrate a willingness to be transparent about how we process people’s data.”
5) What should be your legal basis for processing people’s data?
GDPR provides for six ways in which to establish a legal basis for data-processing. Five of these are applicable to the public sector, including what might seem to be the easiest and cleanest option: obtaining a data subject’s consent.
But Bamford of the ICO warned against this.
“You need to be careful, because consent is a very high standard – it always has been. It has to be very specifically given, evidenced in some way – and it is capable of being withdrawn,” he said. “If you need to process people’s data irrespective of whether they say you can, you cannot rely on consent as a legal basis.”
Outside of consent, the first option available to public bodies is to demonstrate that data-processing is necessary for the purposes of the fulfilment or creation of contract between the data-processor and the subject. The second is to prove that processing data is necessary for the purposes of complying with another legal obligation.
Processing can also be deemed lawful under GDPR if it is done to “protect an interest which is essential for the life of the data subject or that of another natural person”. The fourth option available to public sector entities is to prove that processing is required to perform a task that is in the public interest, or forms part of “the exercise of official authority vested in the controller”.
Richard Ingle, data-protection officer for the London Borough of Hillingdon, said that this option would be the most valuable for public sector bodies.
“This is the one of that will cover 99% of all our processing,” he said.
6) Who is ultimately accountable?
The existing Data Protection Act differentiates between data controllers and data processors. Controllers are organisations or people with responsibility for defining how and why data is processed, while processors simply carry out such processing on controllers’ behalf. Public sector bodies are invariably controllers, while the technology firms that provide their data-processing tools and services are processors.
In the Data Protection Act – and the GDPR – controllers are, ultimately, responsible for the legality of data-processing. But the incoming regulation tips the balance a little, with processors potentially also bearing responsibilities – and liabilities.
Aysha Mukhtar, information governance manager at the London Borough of Redbridge, said that, although “the data controller will always retain the ultimate accountability”, a little more responsibility for data processors is a welcome development.
“It is about time that things are changing in regards to accountability, and that data processors are held accountable,” she said.
The ICO currently advises that all contracts between public bodies and their commercial data-processing partners do not “relieve the processor of its own direct responsibilities under the GDPR, and reflect any indemnity that has been agreed”. The organisation is working towards creating a code of conduct to help all parties understand their obligations and liabilities and create contracts accordingly – something that Mukhtar said she would welcome.
“We are still very much accountable, and it is down to us to carry out due diligence before selecting a supplier,” she added.
Incumbent contracts may also need to be revisited in light of GDPR, said Robert Clifford, head of data strategy at the Home Office.
“What we are doing in the Home Office is looking at existing commercial engagements. Lots of work is going on with Crown Commercial Service,” he said.
7) What does GDPR mean for public bodies sharing data with each other?
The question of liability becomes even thornier when the two parties sharing data are both public sector entities.
Whitehall departments frequently share data with one another, said Clifford of the Home Office, and typically do so under the protection of a – non-legally binding – memorandum of understanding (MoU) agreement.
“We have MoUs left, right, and centre with other central-government departments,” he said.
But, following the implementation of GDPR, something more ironclad may be required, according to Clifford.
“I have yet to see formal guidance for this but, in my view, there has to be a contract. I do not think an MoU would be sufficient going forward,” he added.
8) What should public bodies do when they suffer a breach?
If they suffer a data breach that is “likely to result in a risk to people’s rights and freedoms”, organisations are required to informed the ICO no later 72 hours after becoming aware of the breach.
Bamford of the ICO cautioned against delaying reporting a breach to allow time to assemble a detailed report, and a comprehensive plan of action to deal with it. Report as soon as you are able, he advised.
“We need to know that something has gone wrong and you’re dealing with it,” he said.
Beyond that, the circumstances of the breach and a full remediation plan can follow in time, he said.
9) How much could non-compliance cost?
The section of GDPR that has, perhaps inevitably, attracted the most attention is the detail concerning punishments for contravention.
Contravening the existing Data Protection Act could see the ICO hit you with a fine of up to £500,000. But the GDPR provides for much more significant penalties: for lesser incidents, the greater of either 2% of global turnover or €10m; and, for more serious breaches, 4% of turnover or €20m – whichever is the larger figure.
The record fine handed out under the Data Protection Act is the £400,000 punishment meted out to TalkTalk last year. Under GDPR, the telecoms firm could have been hit with a £59m fine.
The ICO’s Bamford said that the scale of the penalties is, for the leaders of many organisations, often the most convincing argument for compliance.
“For all our efforts… the thing that seems to get board-level attention is the figure of €20m or 4% of worldwide turnover. That seems to be the biggest wake-up call to organisations investing in their data compliance,” he said. “That applies to the public sector as well – few of us can afford our hard-won cash to be taken away from us.”
10) What happens if I am breached on 24 May?
GDPR is scheduled to come into law on 25 May next year and, until that point, the 1998 Data Protection Act remains the primary piece of legislation by which data controllers must abide.
But, with data breaches now seemingly a part of daily life, there is a very real possibility that a number of incidents will straddle the end of one law and the beginning of another. At the Dods event, Bamford was asked what legislation would apply to a breach that occurred on 24 May, and was reported on 26 May – comfortably within the 72-hour timeframe stipulated by GDPR.
The ICO government chief admitted he had wondered about this himself and, as yet, did not have a definitive answer.
“It is a great question – and the government haven’t got around to answering it yet,” he added.
Bamford told the roomful of public sector delegates that the law should not be seen merely as a document, but as a living entity.
“We want to get organisations on the front foot, and incentivise them to do the right thing,” he said. “It is about organisations designing in data protection into their activities – not building it on when they need it.”
Bamford added: “It is about ensuring public trust and confidence in how data is used. All of you have a vital role in talking about data-protection laws. They do not live in dusty statutes, they live out there, with real people doing real things with other people’s data.”