It’s touted as the Holy Grail to encourage data compliance, customer retention and nurture by most in the industry. In fact, in our April blog, Graham explains how financial institutions can use the requirement to comply with new legislation around personal data collection and processing as an opportunity to regain consumer confidence.
GDPR is, of course, applicable across many sectors. In my first post, in a series of three articles, I focus on the Impact of GDPR Regulations in the Public Sector. This will be followed by some further thinking around:
- The right to erasure in a highly connected environment and
- The right of access
While several analysts have focussed on the impact of GDPR on private operations with large marketing functions, some have unearthed interesting analyses on its impact in the public sector. These insights could enable public sector organisations to address data dilemmas in the process of getting GDPR compliant.
Penalise Data Breach Offenders
For example, this commentary from the Public Sector Executive website highlights the governance required and ramifications of failure - notably the much talked about hike in potential fines. The new fines for data breaches can be up to four percent of the turnover or €20M. Failure to disclose the breach within 72 hours is set at half of these values.
As an aside, I’m intrigued as to what would happen in practice to calculate the fine in an organisation like the DVLA, for example?
Guard against Unscrupulous Data Requests
What about some of the more specific rights of individuals now enshrined in the new regulations? There are several categories of rights that an individual has, and many of them rely on an individual contacting an organisation. They could do this to make a request about their data such as accessing, amending or erasing it.
In such situations, the first thing an organisation must do, if contacted under these provisions, is ensure that the person making the contact is correctly identified. The last thing that government departments want is unfavourable press coverage around rushed implementations of GDPR processes involving unscrupulous individuals to acquire sensitive personal data about others.
Consolidate Identity Management Gateways
Identity assurance as a foundational step for ensuring compliance with data processing rules is a hot topic. Gartner delivered the GDPR compliance debate as the preamble for the 2017 Identity and Access Management Summit. A quick Google search on, ‘Subject Access Request gov.uk’ reveals that different departments have diverse formats and forms. Most of these are downloadable as PDFs.
Is there an opportunity here for developing a common, consolidated identity management gateway or platform using an established authentication service such as Verify? So that public sector bodies can register their data protection officers and enable them to receive requests on personal data. This will as a result, instil confidence about the authenticity of both parties. The common gateway will also avoid the problem of duplication of data from diverse sources and formats, by creating a single gateway and enhancing security.
Once established, the identity management system could serve as a gateway for all the other data request rights that a citizen has. This includes the right to access their data, the right to rectify it, the right to understand how it is being used for profiling and analysis and more.
Do you agree that a single Identity Management solution is the key to confidently implementing GDPR compliance in the Public Sector? Is there something already existing in this space that I may have missed?
Feel free to share your feedback in the comments section below, or contact me at firstname.lastname@example.org