What the GDPR Means for the UK Public Sector

By: In: Compliance On: Sep 20, 2016
What the GDPR Means for the UK Public Sector

The new General Data Protection Regulation (GDPR) comes into effect in May of 2018, taking the place of the existing Data Protection Act (DPA) in the UK. Our recent public sector event, with a guest speaker from the ICO and participants from across the London area, discussed what this particular piece of legislation means for the public sector, in particular.

Much more prescriptive than the DPA, the GDPR greatly expands a number of sections of the current legislation, including the tightening of requirements related to the fair processing of notices, consent and individual rights to privacy. If you work as an information management professional in the public sector and you haven’t yet started thinking about (and preparing for) the GDPR, now’ s the time to do so. If your organisation isn’t prepared when it comes into effect, you could be at risk for increased fines.

Grabbing the headlines is that the fining regime is much more rigorous. These fines must be decided by the member states.  In any case, the most stringent fines will be given when a company loses personal data.

There are some special considerations around the GDPR for the public sector, but the biggest part of staying in compliance with the GDPR and other data privacy regulations is to ensure you both know the legal basis for everything you do and also can prove that you have this legal basis when it comes to processing personal data.  As the burden of proof shifts onto the data controller to prove compliance, public authorities can no longer rely on a “legitimate interest” condition for processing personal data.

The resounding message from the ICO was, if you’re currently following best practices for information protection and DPA compliance, you’re probably in good shape with the new rules, you just need to ensure that you are following the more explicit instructions. Understanding the intricacies of the GDPR is of the utmost importance. Don’t get left behind. Contact our Professional Services team for expert advice.

← Does GDPR Still Matter with Brexit? Pre- vs. Post-Classification for Records Metadata →

Leave A Comment

About the author

Phil Greenwood

Phil Greenwood is Country Managing Director & Commercial Director at Iron Mountain responsible for delivering information and records management solutions into the UK's largest Public, Private and NHS customers. Phil directs and runs specialist sector teams aligned to the sector specific requirements of Iron Mountain's clients. These requirements demand innovative solutions that deliver compliance and governance as well as efficiency and cost cutting in order to transform business results and improve the way organisations use their information. Phil has over 10 years' experience working with UK and International records management. He is involved with the UK Information and Records Management Society. Phil has worked within service delivery and customer facing roles, as well as in general management roles within the outsourcing and information management industries. Legally qualified, Phil has also spent time as a fee earner within law firms and has a strong understanding of the way that information and services drive the core business of client organisations.