In recent conversation with IT managers about GDPR implications and which steps to take to reach compliance by May 2018, it turned out that representatives from public sector organizations were under the impression that they would be exempt from GDPR compliance. The reason given was that fining a public sector organization would be taking money from one pocket and putting it into the other, as fines would get back into the public funds. Another reason was that they are currently exempt in certain countries, for example in Denmark, and were working on the assumption that their special status would be transferred to GDPR.
According to IDC’s reading of the GDPR text*, this is a very dangerous assumption!
Firstly, there is no exemption for the public sector. Article 4 specifically includes public authorities in the definitions of data controllers and processors. Article 37 specifically requires all public authorities or bodies (except courts) to designate a data protection officer. There are other instances where specific terms are applied to public authorities to account for local laws and the effective operation of government. But to all intents and purposes, the public sector is ‘In’.
The only specific derogation relating to public authorities is where these are from non-EU countries and would otherwise be required to maintain a representative in the EU (Article 27).
With regard to fines, in fact, it is not unheard of for public bodies to be fined by regulators under current legislation. The ICO in the UK has fined Hampshire County Council in August. The Portuguese regulator (CNPD) has previously fined RTP, the public television company. So precedent exists for fining public sector bodies. Note that GDPR does give member states discretion on whether it does in fact levy fines on public authorities and bodies (Article 83(7)), and there is a general reluctance to fine such organizations. But the sanction is there if needed.
Given that public sector organizations at all levels (including municipalities) are subject to GDPR compliance, they – just like any other organization around the globe who handles data relating to people in the EU – need to get started now if they want to stand a realistic chance of being compliant by 2018. Public sector organizations in particular are handling highly sensitive privacy data, like health records, tax records, juridical records etc.
Good information governance practices also apply for public sector organizations: knowing what data you have, where it resides, how many copies you have, how long you need to keep it for, and so on. This facilitates responding to subject access requests, executing the right to be forgotten to the extent that it applies to them, defining use cases for data, managing consent, and providing data breach notification in case of data breach. IDC recommends strongly to every public sector organization handling European personal data to get started immediately, because otherwise compliance by May 2018 will not be achievable and the significant fines that GDPR suggests would be detrimental to public sector budgets.
*IDC does not provide legal advice. If in doubt, consult a lawyer.