Central government works with significant volumes of personal data, some of which can be sensitive. Compliance with data protection requirements should therefore be a key priority.
Data Protection Act 2018 (UK GDPR) - the basics
The General Data Protection Regulation (GDPR) became enshrined in UK law as the Data Protection Act 2018 on 25 May 2018, modernising the way in which organisations process and handle personal data.
GDPR introduced a number of new concepts, such as Privacy by Design, and the requirement to complete a data protection impact assessment. It also gave greater prominence to the role of the Data Protection Officer (DPO).
Other changes included:
- Enhanced rights for data subjects in accessing, updating and obtaining a copy of their personal data, as well as some additional rights such as right to erasure and right to data portability
- The requirement for controllers to report breaches to supervisory authorities swiftly, and within 72 hours
- Use of personal data must be legal – a lawful basis should be cited for each data processing activity
- Data controllers made responsible for any personal data transferred to third parties and must contractually require third parties to adhere to data protection obligations
- The introduction of significant sanctions for non-compliance, up to €20m or 4% of global turnover – whichever is greater.
Three years on – what has changed?
Since the GDPR became enshrined in UK law in 2018, central and local government have had to work hard to meet compliance requirements and, crucially, be able to demonstrate ongoing compliance.
The Information Commissioner’s Office (ICO) has started to flex its muscles as the UK regulator, issuing some significant fines for non-compliance. For example, the London Borough of Newham was fined £145,000 for disclosing the personal information of over 200 people who featured on a police intelligence database (2019).
Recently, the ICO launched an investigation into the use of private correspondence channels at the Department of Health and Social Care, following the suggestion that ministers and senior officials had been using private correspondence channels to conduct sensitive official business. The concern here is that personal data in private email accounts or messaging services are forgotten, overlooked, auto deleted or otherwise unavailable when a freedom of information request is made.
There have been a few other noteworthy developments, specifically in relation to international transfers of personal data:
- In July 2020, the European Court of Justice invalidated the Privacy Shield (Schrems II), which was previously considered an appropriate safeguard for international transfers of personal data from the EU to the United States of America.
- As a result of the Schrems judgement, the European Commission reviewed the existing standard contractual clauses (SCCs), which were redrafted. New versions were published in June 2021.
- In June 2021, the UK was granted adequacy status by the European Commission. This means that data transfers from the EU to the UK can continue freely as before, subsequent to the end of the Brexit transition period at the end of June 2021.
Compliance with the UK GDPR in central government
Given that central government works with significant volumes of personal data, compliance with UK GDPR requirements should be a key priority. However, some central government departments have reported a significant increase in workloads, not only to meet GDPR requirements in 2018, but also in terms of demonstrating continued compliance. A survey of government service providers by eCase (conducted in 2020) highlighted concerns with existing GDPR compliance measures and with the resourcing required to meet implementation and ongoing compliance requirements.
Prior to GDPR implementation, there was considerable concern that central government would receive a significant increase in the volume of subject access requests (SARs). The eCase survey found these concerns to be justified: 50% of respondents reported a 100% growth in the number of SARs received.
The central government compliance challenge is also exacerbated by an overreliance on manual systems, including standalone excel spreadsheets, to manage GDPR governance. This presents considerable data integrity risks.
Data privacy considerations – horizon scanning
Looking forward, the newly published standard contractual clauses (published by the European Commission in June 2021) have been updated as a result of GDPR implementation and replace the old SCCs.
New transfer agreements should therefore incorporate the newly updated SCCs, and Central government needs to be aware that SCCs currently in use must be replaced with the new SCCs by late December 2022. Successful compliance and ensuring the most up-to-date SCCs are in place requires central government organisations to have full oversight of international data transfers.
How can BDO help?
Members of our Digital Risk and Advisory Services team have extensive data privacy expertise. We are experienced in completing post implementation reviews and audits across all levels of government nationally. We have also delivered bespoke data privacy training across a number of European institutions. Additional services we can provide include:
- Gap analysis, providing an in-depth look at current levels of compliance with requirements of the UK GDPR, and identifying areas for improvement
- GDPR audits and internal audit support
- Remediation projects
- Data mapping
- Preparation of GDPR policies and procedures
- Assistance with data subject rights requests
- Advisory services in relation to data processing contracts and international transfers
- Third party processor assurance
- Training and awareness
- Support on DPO/DCO responsibilities
- Accountability services – introduction and maintenance of privacy compliance frameworks.
If you would like to discuss any of the issues raised or your organisation’s UK GDPR compliance needs, please get in touch.