GDPR versus the DPA: the implications for the public sector

Mon 20 Feb 2017

The UK has finally committed itself to adopting the General Data Protection Regulation (GDPR) due to come into force in May 2018 but there remains confusion over how it will differ from the existing Data Protection Act (DPA).

GDPR elevates the rights of the individual and formalises this, making it far more prescriptive than the DPA, which it will replace. In the public sector these differences include:

  • Appointment of a Data Protection Officer (DPO): Organisations will need to implement technical and organisational measures, document processing activities, appoint a DPO, show evidence of implementation of ‘data protection by design’ and ‘data protection by default’ and use Data Privacy Impact Assessments (DPIA) where appropriate. The appointment of a DPO will now be compulsory for all public sector organisations although this can be an existing employee, provided there is no conflict of interest, or a single DPO can be appointed to act for a group of public authorities. DPO tasks are defined in Article 39 and broadly speaking include ensuring compliance with the GDPR and other data protection laws, advising on DPIAs, training staff, carrying out internal audits and acting as the first point of contact for supervisory authorities and individuals.
  • Data Protection Impact Assessments (DPIAs): DPIAs, while championed by the ICO, were not previously obligatory under the DPA. The aim of a DPIA is to “allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur” and these will soon be a legal requirement that must be carried out when using new technologies or if processing presents a high risk to the rights and freedoms of individuals.
  • Documented processing procedures: Organisations larger than 250 employees will also now find themselves having to maintain internal records on processing activities while organisations of ANY size will need to do the same if they process personal data that represents a higher risk to personal data.
  • Access to personal data: Individuals will have greater rights to request access to data and organisations will no longer have the right to charge for this (unlike under the DPA when a £10 fee could be levied). Moreover such requests must be satisfied within one month. Handling such access requests could prove highly costly for public sector authorities in terms of the time and resource needed. Interestingly, the guidance suggests self-service access to data might be a solution to handling these requests and so this functionality is something digital teams might want to consider building into their digital services. This is especially the case for those departments which have automated decision making processes such as those handling grants or awards applications. Under the GDPR these processes must give the individual the right to object at the first point of contact AND online.
  • Right to erasure: The ‘right to be forgotten’ is now dubbed the ‘right to erasure’. The DPA stipulated this only applied if data caused “unwarranted or substantial damage or distress” but GDPR removes that caveat completely. Here, the public sector does have some room for manoeuvre as if holding this data is deemed to be in the public interest or for public health purposes the request can be refused. In addition, individuals also have the right to have data rectified. Inaccurate or incomplete data must again be corrected within a month.
  • Data portability: The organisation is requires to ensure data is provided in a structured, commonly used and machine readable form, again free of charge and within a month. This means that organisations must use open formats such as CSV files so that data can be read by other organisations. For the public sector this is in keeping with the adoption of open standards and should hopefully add more impetus to the move away from legacy software.
  • Breach notification: GDPR will compel organisations to report only some types of breach to the ICO and only to affected individuals in some cases. Reporting needs to occur when a breach is likely to risk the rights and freedoms of individuals and must be carried out within 72 hours of the organisation becoming aware of it although this can happen in phases if the investigation takes time. The exception is if the breach affects the public at large when disclosure has to happen “without delay”. GDPR also fixes a fine for failing to notify a breach at 10 million Euros making it imperative that public sector bodies ensure they have internal breach reporting procedures in place.
  • Certification and compliance: There will now be a mandated obligation to comply with some aspect of data handling that were previously only advised under the DPA. This will make it vital that organisations can demonstrate evidence of compliance through documented processes. It is expected that certification programs will emerge to help organisations demonstrate compliance but until then, the impetus is on data processors and data controllers to carry out this due diligence.

Before the legislation comes into effect, public sector bodies need to familiarise themselves with the demands of the new legislation, put in place the processes that will facilitate data portability and provide the citizen with easier access to records. There’s no doubt that in some cases that will require optimisation of existing digital services.