December 19, 2017

No GDPR relief for the public sector – how to prepare for the challenge?

Timo Ahomäki

Head of Portfolio Development, Tieto Security Services

Public sector organisations have no immunity from the effects of GDPR. Coming into force in May, it will impact organisations as well as NGOs and the public sector. There is no room for silos in data handling. You need to be aware at all times what private data you have, where it resides, and who is handling it.

The public sector has vast amounts of personal data. It’s extremely important that citizens can rest assured that their information is safe with the authorities and it is handled in an appropriate manner.

In essence, the same practices that enterprises and organisations use to tackle the GDPR are also valid for public bodies. You need full visibility of your assets and clear policies for data handling. Furthermore, also public sector organizations need to appoint a Data Protection Officer.

Now is the time to see that there are no silos in data handling and processing. You need to be aware at all times what private data you have, where it resides, and who is handling it.

Neglect at your own peril

Much of the GDPR discussion has circled around big corporations and the massive fines that will hit non-compliant organisations.

Some public sector bodies may have thought that this doesn’t concern them. In that case, well, we urge you to think again. GDPR is also very much your headache. Public authorities are explicitly named as possible data controllers and processors (in article 4).

And what about the sanctions? Communities and governmental bodies don’t have a turnover but they’ll be subject to the fine of 20 million euros at maximum. Article 83 lays out the practical details you need to know about this.

This kind of fine would place a heavy burden on cash-strapped public authorities. Impactful sanctions are an important tool to ensure that private data stays safe. But even more than the monetary sanctions, it is about losing trust. Something few public service organizations can afford in this age.

Public sector specialities

Of course, it’s a different matter if private data is used by a business entity; or by an authority who needs data to provide mandatory public services.

It’s important to note that authorities are required by law to collect and retain certain private information. For example, an individual citizen won’t be able to ask the tax authorities to remove his or her information (this would have been too good to be true!), but he or she will have a say on e.g. giving the data out to third parties.

GDPR is going to be a huge undertaking and requires a significant amount of effort, also for the public sector. However, with thorough planning and well-chosen partners, you’ll be ready when May comes.

Interested in finding out more on how to tackle GDPR in public sector? Please watch the recording from our webinar here. 

Stay up-to-date

Get all the latest blogs sent you now!