GDPR in the public sector
The biggest and smallest changes
The closer we get to May 2018, the louder we hear the rumble: The General Data Protection Regulation (‘GDPR’) is on its way. With stronger rights for data subjects and higher fines, the European Union intends to send out a strong message: privacy needs to be taken seriously. How will the changes that are coming relate to organisations in the public sector? We highlight a few topics to provide a better understanding.
By Esther van Duin (Deloitte NL)
Lesser known articles of GDPR
Starting May 25th 2018, all organisations, including those in the public sector, need to comply with the GDPR. Because of the broad scope and big consequences of this new regulation, plenty of articles and opinions have been published describing the possible consequences.
We see, however, that most of the available documentation focuses on general information and consequences even though for some sectors various parts of the GDPR are important. In the public sector several articles of the GDPR that are often described will be less applicable, whereas other, less described articles, will have a higher impact on the public sector specifically.
In order to create clarity in a time where up to date data protection knowledge is of utmost importance, we aim to describe some of the specific impacts the GDPR will have in the public sector. We will first demonstrate which of the commonly known (new) legal obligations of the GDPR have a smaller impact on the public sector compared to other fields. Then we will look into -lesser known- articles from the GDPR that will be applicable specifically to organisations operating in the public.
Privacy email alert
Receive the latest Privacy insights.
Changes that the GDPR brings
As explained, not all changes that the GDPR brings will have an equally big impact on organisations operating in the public sector. Several new obligations, such as data portability, will play a smaller role in this sector than on other sectors.
The right to data portability is a good example of a much discussed new right for data subjects. This right for data subjects to retrieve personal data in a machine readable format needs to be supported by organisations when applicable. However, only personal information collected under consent, or in order to execute a contract qualifies to be subject to data portability. As organisations in the public sector most of the time cannot use freely given consent as a ground for data processing - for the government has a too strong of a position in relation to the data subject -, data portability will mostly only play a role in contractual relations. Since different grounds are often used for personal data processing within the public sector, than in the private sector, such as processing for performing a task of public interest, data portability will not play such a big role in the privacy landscape of the public sector.
Right to be forgotten
The right to be forgotten will also play a smaller role in the public sector, compared to other sectors. This is mainly a consequence of the grounds that the GDPR provides for when the right to be forgotten is not applicable: in case the processing happens for performance of a public interest task or exercise of official authority, or the processing is executed for compliance with a Union or Member State legal obligation, the right to be forgotten is not applicable. Both types of processing occur relatively often within the public sector.
Another new possibility the GDPR brings is the often quoted ‘one-shop-stop’. This enables organisations that operate EU wide to only deal with one data protection authority, instead of dealing with each data protection authority per EU country they operate in. However, since organisations in the public sector often mainly operate in one country (the country that created the organisation), this possibility will not play as big a role for these organisations.
3 most important GDPR changes for the public sector
There are a number of provisions that are specifically relevant for the public sector that are likely to result in changes. We highlight the three most important ones.
Data Protection Officer
Government agencies that process personal data are always required to appoint a Data Protection Officer (DPO). This is different in the private sector, where a DPO is only required when certain criteria are met. It is possible to share a DPO with organisations or agencies, as long as the organisational structure and size are taken into account. Also, consult local legislation to determine if there are additional requirements, such as registration of the DPO in a government register.
Legitimate Interest as grounds for processing
The GDPR restricts the public authorities from using Legitimate Interest as a legal grounds for processing personal data. This means that public authorities must find another legal ground if Legitimate Interest is currently relied upon. Review the processing activities and determine if it can be processed under a different lawful basis, is exempted, or if a derogation applies. If this is not possible, the personal data may not be processed.
Consent for (international) data transfers
Consent is another legal ground for processing with restrictions for the public sector. The GDPR does allow a data transfer based on consent of the data subject, however, public sector organisations can hardly ever use this exemption. The rationale behind this is the relational imbalance between the government and its citizens, which is impeding with the requirement that consent must be ‘freely given’. The GDPR does provide a special option for governmental bodies to exchange data with third countries without suitable safeguards. This is possible if there is a legally binding and enforceable instrument between the government authorities.
The GDPR draws special attention to protection of personal data in the public sector. It introduces a number of significant changes and restrictions. A careful assessment must be done as not all provisions are applicable. Especially the exceptions should be carefully considered before the general rule is applied. When doing so, we advise to also consult local legislation, because it may impose stricter or even additional requirements.
For more information about GDPR, please contact Annika Sponselee or Nicole Vreeman via the contact details below.