Data protection act guidance for the public sector
Skip to Content

Data protection act guidance for the public sector

We are now into the final months before the General Data Protection Regulation (GDPR) comes into effect. You might already be aware that private companies will be required to adjust their practices to comply with the regulation if they hold personal data on their customers and employees, but recently we’ve been getting questions about if and how this regulation will affect the public sector. With that in mind, we’ve put together this data protection act guidance post that will highlight some important information relating to the GDPR in public sector, along with immediate steps you can take to ensure you are on the right track to being GDPR-ready.

Who in the public sector does the GDPR affect?

The general data protection regulation affects public bodies, including, governments, public administrations and agencies the moment they collect or process the personal data of EU citizens. That could be their HR and/or their health records, tax information and even their IP addresses – they are all required to comply with the GDPR.

GDPR fines in the public sector

As is well known, failure to comply with the GDPR could result in massive fines for private companies, leading to loss of profits, damage to their reputation, etc. But what happens to public-sector organisations that fail to comply? Well, it’s quite similar. Fines can go up as high as 20 million euro, and for public sector organisations with an avenue of commercial activities, this can amount to 4% of their annual turnover.

Data protection officer requirements

For organisations in the private sector, the appointment of a data protection officer (DPO) is voluntary, unless your organisation carries out:

  • Data processing operations requiring regular and systematic monitoring of data subjects on a large scale
  • Data processing on a large scale of special categories of data, such as sensitive data (health records, race, religion, etc.) and personal data related to criminal records and offences.

The difference is that in the public sector an appointment of a DPO is mandatory no matter what kind of data you are processing or the size of the operation. This officer will be responsible for:

  • Monitoring compliance
  • Implementing a data governance framework
  • Liaising with the data protection authorities

No longer just a ‘tick the box’ exercise

Being forced to appoint a DPO will likely turn out to be useful in your efforts to become fully compliant. Those behind the GDPR want to make sure that the new regulation is taken seriously. If in the past, both public and private sector compliance was viewed as nothing more than a ‘tick the box’ exercise, the new regulation now requires your organisation to proactively design and execute a strategy that can prove your compliance.

The unique challenges faced by public-sector organisations

While there are many similarities between the public and private sectors regarding the GDPR’s implementation, public-sector organisations face a unique set of challenges. Public entities typically process large amounts of different types of personal data and must provide specific and detailed answers on each piece of data they collect. These include:

What type of personal data do you process?

Who has access to this personal data?

Why do you collect this particular data?

Where is this personal data stored?

When will it be deleted?

There are also new rights – the right to be forgotten and the right to data portability – that must be accommodated. This may prove tricky for organisations who haven’t been required to do this before. Even if we were only to consider the most recent data breaches, it isn’t difficult to understand the importance of this new regulation; making sure the data your public sector entity holds is all correct and accountable for will make recovery much less painful should the worst happen.

Data protection act guidance: immediate steps you can take

Diagnose your situation

Auditing your organisation’s data is the first step to understanding what kind of material you currently hold and how it is stored. Looking at what data you hold and for each piece of data you must respond to the five ‘W’ questions above.

Put a strategy in place

Part of your strategy is analysing the level of risk that each piece of data you process holds and acting accordingly to these risk levels. Developing a comprehensive framework that ensures compliance will be the longer-term plan but something you should begin as soon as possible.

Training staff

As part of your overall strategy, training staff to understand the magnitude of the new regulation and how it will affect the everyday practices and procedures of your organisation will be vital to ensuring successful compliance.

Assess your preparation

At bluesource, we have been making it our mission to ensure companies of all descriptions are prepared for the GDPR come May 2018, and that includes those in the public sector. We provide a range of assessments to help your organisation recognise where you might be susceptible to these regulatory changes and understand what steps you can take to make sure you are fully compliant.


For more information about the GDPR and what you can do as a public-sector organisation, contact us today.