As we’ve all heard by now, the EU General Data Protection Regulation (GDPR) is the most far-reaching shake-up of data privacy regulation in decades. Up to now, most organisations may have felt they have plenty of time to prepare. But guess what: suddenly GDPR’s full force is almost upon us – with less than 100 days left before it comes into effect on 25th May 2018.
It’s hard to overstate GDPR’s implications for organisations that hold and use personal data. Its provisions include rights for individuals to be forgotten and see any data held on them on request, plus requirements such as mandatory notification of data breaches within 72 hours and an obligation to apply “privacy by design”. And it imposes harsh fines for non-compliance. Put simply, it takes the power and control over personal data, and puts it decisively in the hands of the individual.
While this is a massive change for organisations across all industries, its implications are especially profound for the public sector. From policing to taxation to health to housing and more, government bodies are awash with information that’s both personally identifiable and highly sensitive. From May 25th, all of that information will be explicitly owned and controlled not by the organisations holding it, but the citizens.
Are public service organisations ready? Well, to my mind, yes, but only to a point. We recently researched the readiness of public sector bodies across Europe for the arrival of GDPR. The most straightforward question was perhaps the most revealing: asked to what extent they were preparing for GDPR, the proportion saying they were “not ready” ranged from 27% for central government and large hospitals, to 37% for state/regional government, to a shocking 47% for large local government bodies.
Given how imminent GDPR now is, the fact that over a third of public sector organisations admit they’re not ready is worrying enough on its own. But a closer look at those who do claim to be ready gives further grounds for concern. Most regard GDPR as a compliance project, involving the creation of new processes to handle obligations like citizens’ rights to access their data or to be forgotten. But they also admit a lot of these processes won’t be ready in time.
What’s more, public sector organisations are likely to be more deluged than their private sector counterparts by requests made under GDPR – such as Service Access Requests. Why? Well, if someone signs up with a mobile operator for example, it’s their choice to hand over their personal data. And if they don’t like what that operator does with it, they can always switch to a competitor. In contrast, people don’t provide personal information to the tax or social service agencies because they want to, but because they have to. And they can’t switch to another tax agency if they feel like it.
All of this makes data held by the public sector an emotional and complex issue. Once GDPR comes in, imagine how many people will be asking – via every conceivable channel – to see the data that the government departments they deal with hold on them. And the departments will have a legal obligation to comply with every request, free of charge – even if this means pulling information from several different systems across the organisation. Then there’s the issue of how they deliver it back to the citizen securely.
Given all this, what do public sector bodies need to do? With the deadline looming, it’s time to make sure the basics are in place. If the processes being developed for GDPR won’t be ready on May 25th, this means being smart about how to leverage technology to do the job at speed, for example with automation. Robots could pull data from multiple systems to meet a data access request. Or it might be masking specific pieces of personal information on a screen in a call centre, because the rep doesn’t need to see them to handle the query at hand. Whatever the job, what matters is finding a tool to handle it without burying staff under a mountain of manual work-arounds.
With less than a hundred days to go until GDPR, it’s time for public sector organisations to turn their steady march towards compliance into a sprint for the line. Otherwise the risk is, once the 25th May arrives, they won’t know what’s hit them