Is the public sector ready for the GDPR? asks Chris Doutney, Managing Director of Civica Digital, a software company.
Every day, billions of people use mobile devices to take photos, shop online, use apps and send messages, whether at work or at home. In fact, according to IDC, the total amount of data in the world is set to reach 180 zettabytes by 2025. This explosion of new technology has not only completely changed how we communicate with each other but also how we communicate with both private and public services. With businesses such as Amazon and Netflix offering highly personalised services due to effective use of data, citizens are starting to demand the same levels of service from all companies they interact with.
However, with increased personalisation comes a data trade off. How organisations use data has increasingly come into question, leading to the implementation of the EU General Data Protection Regulation (GDPR) which aims to not only safeguard citizen data but also put control back into the hands of the consumer. With one year to go (May 2018) until the GDPR legislation becomes law, how is the public sector set to cope with increased accountability, workload and potential substantial fines for data non-compliance? Or how might the new legislation improve consumer trust in public bodies? We produced a report, surveying public sector leaders to find out.
EU GDPR
The sheer importance of the EU GDPR cannot be ignored. One of the biggest issues within the public sector is the lack of trust around data on the part of citizens, and the regulation will go some way to building this trust. If citizens understand why their data is being collected and how it is being used for the benefit of them, then appropriate data sharing will increase. But is the public sector prepared? While there is still a way to go until organisations are compliant with the impending legislation, our research found that public sector organisations do feel prepared. In fact, 76pc of public sector executives claimed that their organisation was either working on or ‘ready to roll’ with GDPR.
However, the research also found that senior public officials are starting to show concern over the fact that the GDPR and the Digital Economy Bill (DEB), which came into force in early April, may begin to pull data sharing in different directions. Whilst a combination of both GDPR and the DE Bill could solve many data sharing issues, three quarters of public sector leaders felt that the requirements of each set of regulations were in conflict with each other and almost one third (31pc) felt that there were ‘serious areas of conflict’. One made a significant point that the two sets of regulations use different terminology and that this is likely to increase the confusion.
Overwhelmingly, the majority of respondents anticipated that both laws will improve service delivery. In fact, around 85pc of those surveyed felt the DEB would help identify citizens’ service needs better, while all claimed that the GDPR would give citizens control over their data.
Now’s the time
Educate: While confusion over how the two new regulations will work together may remain, public sector organisations cannot bury their heads in the sand. They must begin educating all employees handling personal data, from front-line employees to HR and marketing on the new laws that are set to come into place. A common misconception is that the EU GDPR is purely an IT issue, but it’s a whole business issue and will impact almost everybody within the organisation. Public sector organisations cannot afford to wait until the last minute to react. They may need to seek partnerships with digital experts to ensure they have a full spectrum view of their data universe and to fill in the gaps that could lead to non-compliance.
Prepare: With only a year to go, companies should already be well underway with their GDPR strategy. However, for many serious preparation is still needed, from identifying risks to ensuring a single view of data across an organisation. Many companies will also need to undertake a cultural shift to build best practice standards and policies internally, which employees can actually apply on a day-to-day basis. This is crucial as recent research from the Information Commissioner’s Office (ICO) found that 18% of councils do not have mandatory data protection training for employees who process personal data, which is concerning as it’s a vital part of limiting data breaches. What’s more, the GDPR requires all companies handling EU data to appoint a Data Protection Officer (DPO) to help drive the business needs forward whilst ensuring compliance at all times. However, worryingly, our recent research with MyLife Digital found that 74pc of local government organisations didn’t have a DPO contact listed.
Grow: Public sector organisations need to embrace the new regulation to improve services and use data to understand citizen needs. Building long-term trust is also crucial. At the moment, this is a goal for many, with few doing so effectively. Ultimately public sector bodies must not just worry about being compliant and avoiding fines, but delivering improved citizen services and outcomes.
Finding the right balance
The public sector must find the right balance between respecting the sensitivity of citizen data, while using it appropriately with partners and other public sector organisations to ensure the best possible service delivery. Gaining the trust of citizens on this continued digital journey will be crucial to shaping and building better interactions and delivering more positive outcomes. This won’t be easy, but it’s a challenge we must all be prepared for as the need for transparency around data increases.
