The general data protection regulation 2016: what’s in store for the public sector?

Source: PSE Jun/Jul 16

Geldards LLP’s senior associate Owen Evans and partner Lowri Phillips outline what public bodies need to know ahead of significant data market reforms in 2018.

The countdown to new EU data protection laws has begun. The General Data Protection Regulation 2016 (GDPR) has now been published in the EU Official Journal and will automatically apply in all Member States from 25 May 2018. The new legislation will replace the Data Protection Directive 1995 (DPD) and the national legislation passed by Member States to implement the DPD (in the UK, this is the Data Protection Act 1998, or DPA). 

Although the provisions set out in the GDPR will not “bite” for another two years, organisations are being advised to start preparing for the new laws as soon as possible. This is because the GDPR will introduce several significant changes to the current system of regulation – and to the ways in which organisations will need to approach and achieve compliance. 

Key changes for the public sector 

More data will be treated as ‘personal data’ and will, therefore, be subject to data protection laws. Under the GDPR, pseudonymised (e.g. encrypted) data will be classed as personal data. In addition, online identifiers (e.g. internet protocol addresses) will usually be classified as personal data.Also, genetic data and biometric data will be “upgraded” to sensitive personal data and will, therefore, be subject to tougher data protection rules. 

Public bodies will need to appoint a data protection officer (DPO) 

Broadly speaking, the role of a DPO will be to ensure compliance by their organisation with the GDPR. The rules relating to the appointment and responsibilities of a DPO are set out in Articles 37 to 39 of the GDPR. Key points to note are: 

  • Public bodies can share a DPO
  • The DPO must have expert knowledge and act independently
  • The DPO can be a staff member or a hired contractor 

Processing data on the basis of the ‘legitimate interests’ ground 

Currently, one of the legal grounds on which public bodies can process personal data is that such processing is necessary for the purposes of the controller’s legitimate interests. 

This ground for processing will no longer be available to public bodies under the GDPR – so an alternative basis for processing will need to be established (e.g. that the processing is necessary for the performance of a task carried out in the public interest). 

It will be harder for public bodies to rely on consent as the legal basis for their processing. 

As well as a new requirement that consent must be unambiguous and involve positive action by the data subject, the recitals to the GDPR state that consent should not form the legal basis for processing where there is an imbalance of power between the data subject and the controller. 

Such an imbalance of power can often arise where the controller is a public authority, though whether there is actually an imbalance of power will depend on the circumstances surrounding the consent. 

However, the GDPR makes clear that the starting point for public authorities should be not to rely on consent to legitimise their data processing. In relation to sensitive personal data, consent is still required to be explicit. 

Registering details 

It will no longer be necessary to register details of data processing activities with the Information Commissioner’s Office (ICO). However, detailed internal records will need to be kept instead. Also, data controllers will need to be able to demonstrate their compliance with the GDPR/data protection principles. 

The internal record-keeping requirements are set out in Article 30 of the GDPR. They are broader than the current registration requirements. 

To create proper internal records, public bodies will need to evaluate thoroughly the type, extent and nature of data processing they undertake. 

The GDPR makes provision for Approved Codes of Conduct and Approved Accreditation as ways of demonstrating compliance.  However, it will be some time before these schemes are up and running.

 Privacy notices 

Public bodies will need to include more information in their privacy notices. The information to be included ranges from the identity and contact details of the controller to the legal basis for the processing and the data retention period. 

All information provided or made available to data subjects will need to be transparent, easily accessible, concise and intelligible. 


Protection impact assessments 

Public bodies will need to undertake data protection by design and default, and may need to carry out data protection impact assessments (PIAs). 

Data protection by design means that, from the outset, data processing systems must be designed to meet GDPR requirements. Data protection by default means that the highest security settings should be the norm and only personal data necessary for each specific purpose should be processed. PIAs will need to be undertaken before carrying out any ‘high risk’ processing activities. 

Direct statutory obligations for data processors 

Data processors will have direct statutory obligations and liabilities under the GDPR. Processors currently have no such statutory obligations/liabilities under the DPD or DPA. 

Mandatory notification 

Mandatory notification of personal data breaches to the ICO and, in certain circumstances, to data subjects, will be required. 

Under the DPA, there is no system of mandatory notification (though many public bodies notify breaches to the ICO voluntarily, as a way of mitigating the consequences of a data breach). 

Higher fines 

Under the DPA the maximum fine is £500,000. Under the GDPR there will be two levels of fines and, under the higher tier, the maximum fine possible will be €20,000,000 or 4% of annual worldwide turnover (whichever is higher). 

All obligations under the GDPR should be viewed in the light of the potentially enormous fines that can be imposed for non-compliance. 

What to do next? 

The most important thing is to ensure that key personnel understand the changes the GDPR is going to introduce, enabling the organisation to begin the process of evaluating exactly how it will be affected by the GDPR. 

Ultimately, a detailed project plan will need to be created of the changes needed to achieve compliance by 25 May 2018. 

The information in this article is intended as an overview of the law only and legal advice should be taken in relation to any specific issues. Whilst the information contained in this article is believed to be correct at the time of publication, Geldards LLP can accept no responsibility for any action taken in reliance on this article.

Tell us what you think – have your say below or email [email protected]



There are no comments. Why not be the first?

Add your comment

public sector executive tv

more videos >

latest public sector news

Leeds’ Clean Air Zone Plans Suspended for the foreseeable future

19/08/2020Leeds’ Clean Air Zone Plans Suspended for the foreseeable future

Leeds City Council have today (August 19) announced that their plans for a Clean Air Zone within the city may not have to go ahead due to lower e... more >
Colleges set to receive £200m in Funding

19/08/2020Colleges set to receive £200m in Funding

Over 180 colleges are set to receive a share of £200m, in order to repair and refurbish buildings and campuses. The funding makes up p... more >
UK climate change projects to receive £14m funding

18/08/2020UK climate change projects to receive £14m funding

The National Lottery Community Fund has announced the first 14 grants from the Climate Action Fund going to communities across the UK to tackle c... more >

the raven's daily blog

Cleaner, greener, safer media: Increased ROI, decreased carbon

23/06/2020Cleaner, greener, safer media: Increased ROI, decreased carbon

Evolution is crucial in any business and Public Sector Executive is no different. Long before Covid-19 even became a thought in the back of our minds, the team at PSE were looking at innovative ways to deliver its content to our audience in a more dynamic and responsive manner. We’re conscious to take the time to both prot... more >
read more blog posts from 'the raven' >


Artificial intelligence: the devil is in the data

17/12/2018Artificial intelligence: the devil is in the data

It’s no secret that the public sector and its service providers need to invest in technology to help make better use of their resources. Bu... more >
Digital innovation in the public sector: The future is now

17/12/2018Digital innovation in the public sector: The future is now

One of the public sector’s key technology partners has recently welcomed a new member to its team. Matt Spencer, O2’s head of public ... more >
New Dorset Councils CEO on the creation of a new unitary: ‘This is going to be the right decision for Dorset’

05/11/2018New Dorset Councils CEO on the creation of a new unitary: ‘This is going to be the right decision for Dorset’

The new chief executive of one of the new unitary authorities in Dorset has outlined his approach to culture and work with employees, arguing tha... more >
Keeping the momentum of the Northern Powerhouse

15/10/2018Keeping the momentum of the Northern Powerhouse

On 6 September, the biggest decision-makers of the north joined forces to celebrate and debate how to drive innovation and improvement through th... more >

last word

Prevention: Investing for the future

Prevention: Investing for the future

Rob Whiteman, CEO at the Chartered Institute of Public Finance (CIPFA), discusses the benefits of long-term preventative investment. Rising demand, reducing resource – this has been th... more > more last word articles >

editor's comment

25/10/2017Take a moment to celebrate

Devolution, restructuring and widespread service reform: from a journalist’s perspective, it’s never been a more exciting time to report on the public sector. That’s why I could not be more thrilled to be taking over the reins at PSE at this key juncture. There could not be a feature that more perfectly encapsulates this... read more >

public sector focus

LGA: ‘Air pollution is a major public health issue’

17/08/2020LGA: ‘Air pollution is a major public health issue’

The Local Government Association (LGA) has ca... more >
Automating back-office processes for local authorities

29/07/2020Automating back-office processes for local authorities

Words provided by Cantium Business Solutions,... more >