• Opinion
  • September 26, 2018
  • 9 minutes
  • 0

Five steps to GDPR-compliance for local governments

Opinion: The public sector can face huge fines for failing to comply with new data laws

This article was written by co-authored by Madeline Le Botlan, Project Manager and Data Protection Advisor at Civocracy, and Emily McDonnell, Head of Partnerships and Communication at Civocracy. 

GDPR stands for General Data Protection Regulation, and was implemented by the EU in May 2018 with the aim of protecting European citizens’ data, and to regulate the sharing of data across borders.

The topic was thrust into the spotlight following the Cambridge Analytica and Facebook scandal in relation to the most recent US election (user data was obtained without permission and used to manipulate results).

Mark Zuckerberg’s appearance in front of both the US Congress and European Parliament raised issues of ownerships and responsibility. Did the private company do something wrong? Or did our politicians fail to protect us?

            • If you want to write an opinion piece, take a look at Apolitical’s guide for contributors

This is the highest profile case, but it isn’t the only one where citizen data has been exploited. Recently, there has been such rapid development within the digital sphere that legislation hasn’t had the chance to catch up.

There are wide-reaching consequences of these data breaches. A recent KPMG study revealed that more than half of the world’s consumers are choosing not to purchase items online due to fears around their personal data.

And Publicis ETO’s intrusion barometer showed that, in 2016, 78% of citizens surveyed are “disturbed” by the way their data is collected and stored.

GDPR has been implemented to address these fears and return power over personal data back to the people.

Challenges for local government

For both private companies and public institutions, there has been lots of worry about compliance, with many organisations struggling to become “GDPR ready” (only some state governments are exempt from fines, but all are held accountable).

Many of the guidelines and information provided are explicitly aimed at private companies, and yet the law also applies to local governments.

In La Gazette des communes, it was reported that only 10% of local governments in France were ready by the May 25 deadline. And since then, the situation hasn’t changed significantly.

Under GDPR, local and regional authorities  —  who possess a lot of sensitive data on their citizens (such as population files or information on apartment rentals)  —  can face extremely high fines for misuse of information. Charges can get as high as €10-20 million ($11-23m) for non-compliance, and randomised checks by data specialists are being held across Europe to oversee implementation progress.

What is compliance?

With fines so high, it’s easy to be so scared of the repercussions that we simply stop collecting and processing data.

However, when we break down what GDPR actually means, it’s clear: only use the data you need. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject and purpose.

Within the public sector, there is a key basis for processing personal data. The “public task basis” allows authorities to use data when they can demonstrate that the processing is to perform tasks that are set by national law.

There are a number of other lawful bases for processing data. The most important is gaining the consent of users at the start of the data collection process. Other lawful bases include legal or contractual obligations, and vital interests of security.

Five steps to compliance

1. Identify your Data Protection Officer (DPO)

You should already have one; in many countries it has been required by law for many years. Most organisations process a large amount of data and therefore will have someone responsible for overseeing this content.

Find the DPO closest to your office and invite them to give a workshop in which they train staff to ensure they’re aware of data protection, and recognise when and how data is processed in their day-to-day roles.

2. Handling data? Ask yourself three questions

What are you trying to achieve? Can you achieve this result differently without using this data? Do you have a choice over whether or not you should process this data? If the data is essential to your goals, you can use it. But only use what you need, handle it with care, and don’t share it unnecessarily.

You also have the option to anonymise results, highly recommended whenever possible for an extra layer of protection.

3. Privacy by design and default

GDPR shouldn’t be an afterthought, or a lens through which to retrospectively assess projects. All new processes must have the principles of privacy built in, and every project, policy and process must protect users’ data without requiring their input.

Keep the following in mind when collecting data:

  • Purpose specification: individuals must be notified what their data will be used for (i.e., it’s not acceptable to use regional job seeker information for political communications)
  • Collection limitation: collection of personal data must be lawful and transparent
  • Data minimisation: as little data as possible should be collected, and only for immediate processing purposes

4. Departmental risk analysis

GDPR isn’t just an IT department risk. It affects every department, so it is essential to understand what data each internal team handles, and to ensure they’re aware of all sensitivities around processing it. For instance, HR teams possess internal personal data and communications teams use data to share messages.

With each department, identify the categories of data processed and their particular sensitivity. Take an impact assessment of the risk level of the data, and implement a reporting system, in case there is a security breach.

5. Choose your suppliers wisely

At initial meetings with potential external suppliers, ask about their GDPR compliance, and question the way they handle data.

Do partners offer privacy by default? If they’re an online product, do they use a reputable and secure hosting service (e.g., Amazon Web Services), and will they request consent from users?

When working with external companies, there are two key roles to consider: processor and controller. The controller is held to account. Data controllers are those who generate and own the data; they must therefore provide precise specifications for data protection when outsourcing processing to ensure compliance. Data processors simply utilise the data they have been provided with in a way specified to them by the controller. — Madeline Le Botlan and Emily McDonnell

(Picture credit: Flickr/t.ohashi)


Leave a Reply

to leave a comment.
Master the skills you need for the public service.

Discover inspiring resources, tools and policies.