Ready for Christmas … and GDPR in 2018? A perspective on GDPR for Public Sector authorities.

With Christmas and the holiday season approaching quickly most of us take a rest and reflect on what has been important in the year coming to an end. At the same time, we think about important events in the New Year 2018 as well as how to get best prepared for them.

One significant milestone in 2018 will be May 25th, 2018 when the EU General Data Protection Regulation (GDPR) will become effective. Adopted in May 2016 this newly harmonized data protection law will be a directly applicable law in all EU and EEA Member States. This is an important evolution in data privacy regulation. Not only because in the past 20 years’ technology advancement has enabled public sector authorities and businesses to collect & store vast amount of data, but also to mine, analyze, and convert this data into information to provide better services to consumers and citizens. With that, greater responsibility is imposed on organizations to protect that personal data. While the GDPR does not introduce many substantially new concepts, it increases the compliance requirements on controllers and on processors of personal data.

Let’s look at some of the fundamental definitions of GDPR and how they relate to and impact Public Sector authorities.

Personal Data – Article 2 GDPR

According to Article 2 GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Few exceptions apply for Public Sector authorities mostly in a crime prevention, investigation context.

Data controllers and Data processors – Article 4 GDPR

Article 4 (7) and (8) GDPR defines ‘Controller’ as the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

‘Processor’ as a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

GDPR treats the data controller as the principal party for responsibilities according to GDPR such as collecting consent, managing consent-revoking, enabling right to access, informing data subjects etc.

Lawfulness of Processing – Article 6 GDPR

For private sector lawfulness processing of personal data is (among other cases mentioned) based on the data subject consenting on the use of the data.

However, for Public Sector authorities, the need for consent is largely eliminated. They are entitled to processing personal data if this “is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. So, as long as Public Sector authorities can claim legal basis for the personal data they are processing and are working within their legal competence, GDPR does not impose major challenges to continue with their operations. Fair to state though, that each country might need to clarify that legal frame in more detail to avoid uncertainty.

Further specifically relevant aspects for Public Sector authorities include.

Informing Data Subjects – Article 13 GDPR

Article 13 of GDPR mandates that the data subject needs to be provided with information about the legal basis for processing and with the contact details of the DPO and the data controller. As Public Sector authorities are for the most part not required to get consent for the processing of personal data, this information requirement is critically important to ensure a trustful relationship between the authority and the data subject.

Data Protection Impact Assessments – Article 35 GDPR

Data Protection Impact Assessments as defined in Article 35 of GDPR mandates the analysis of risks and will likely become a critical part during the implementation of new processes and IT systems for Public Sector authorities. It also suggests that continuous monitoring is required in order not only to become compliant with GDPR, but to stay compliant.

Data Protection Officer – Article 37 GDPR

All public authorities and bodies (except for courts) must appoint a Data Protection Officer (DPO). The GDPR constitutes a new role of DPO which must conform to specified rights and responsibilities. The GDPR places specific obligations on a DPO and grants the person considerable autonomy in the exercise of the role. The DPO role requires planning and the allocation of resources to ensure compliance with the GDPR principles of transparency and accountability. In summary GDPR will put spotlight on how Public Sector authorities collect, store, mine, analyze, and share data. It requires Public Sector organizations to refine their strategy and plans how to prevent data breaches, how to detect them, and how to respond to them. The Data Protection Impact Assessment could be the essential tool to bring all that together.

As the market leader in enterprise application software SAP is committed to continued compliance with data protection rules around the globe, now and in the future, including of course compliance with the GDPR. Interested in SAP is implementing GDPR requirements? Will be provided in another blog soon.