Enterprises are overhauling data collection and management policies to comply with the European Union’s General Data Protection Regulation (GDPR), which is set for enforcement in May. The GDPR is a wide-ranging regulation that affects any organization collecting and processing EU citizens’ personal data — even if the organization itself is not based in the EU. Most of the conversation has centered on the security and data problems private enterprises will face. The public sector is a different animal. The GDPR recognizes that there must be some leeway given to the organizations acting in the public interest in special circumstances, especially in situations involving security and health.
GDPR Exceptions for Endeavors Serving the Public Interest
The GDPR applies to all kinds of personal data, which includes information that can be used to distinguish an individual, such as names and social security numbers, and special categories such as political opinion and ethnic origin. Pieces of valuable data like these are commonly collected by public organizations — from census takers and voting bodies to medical and occupational groups. They can also be used against the data subject in many ways by malicious actors, thus, the need for data protection regulation.
While the GDPR outlines guidelines and strict security standards for collecting, managing, and processing personal data, there are some instances where certain sections of the GDPR may be relaxed for public authorities that are data controllers or processors. Depending on Union or Member State legislation, exemptions may include the following:
For the purposes of exercising specific rights of the controller or of the data subject in employment and social security and social protection law
For national defense, criminal investigations, and safeguarding the general public
For financial or economic interests of EU Member States and the Union
For archiving (in the public interest), scientific or historical research, or statistical purposes, but only if exemption is necessary for the success of the work
Mainly, these concern specific areas of public sector activities related to public safety and academic work. For more general situations, the GDPR does fully apply to the public sector, and rules on processing and collecting data should be complied with.
Processing Special Categories of Data
A significant part of the GDPR deals with identifying which data types are personal and managing how organizations process these data types. The regulation is quite comprehensive in its rules for personal data, and prohibits the processing of data on racial or ethnic origin, political, religious, and philosophical beliefs, genetic and biometric data, and data on health and sexual orientation. In situations wherein public organizations might require such types of data, the GDPR specifies exceptions to the prohibition:
If the processing is necessary for reasons of considerable public interest, then there is some leeway in the GDPR, provided suitable safeguards for the fundamental rights and the interests of the citizen are established
If the processing is related to the area of public health or ensuring high standards of health care, medicinal products, or medical devices
If the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes
These exceptions are, of course, made with the expectation that Union or Member State laws ensure that the fundamental rights of the citizens are protected.
Members of the public sector handle sensitive data that private enterprises don’t usually have access to, from things like social security numbers to racial and biological profiles, even dental records and complete medical histories. It’s absolutely critical that public bodies and organizations secure all the data entrusted to them. If a cybercriminal were to gain access to databases, the breach could easily lead to identity theft and cause expensive and exhausting problems.
What Organizations Should Do
Many private sector organizations are focused on updating their security solutions and revamping their processes to address new standards outlined by the GDPR in terms of data protection. Aside from that, they are also concerned with complying with regulations centered on getting data subjects’ consent and the right to be forgotten. However, public sector organizations have more flexibility when it comes to the latter issues due to public interest. This flexibility also means data security is even more necessary.
The challenges for the public sector would be classifying data in terms of the exemptions laid out by the GDPR, aligning policies and processes with corresponding Union and national laws, updating security solutions, and ensuring the data pipeline is secure. With or without exemptions, employing updated and state-of-the-art solutions will ultimately give public bodies a security advantage.
To achieve more secure data collection and management — and comply with the GDPR — public organizations should do the following:
1. First, map your data flow and do a risk assessment: What data do you have? What is the purpose of the data collection? Is the processing in the interest of the general public? Who can access the data? Can it be deleted?
Organizations should practice data minimalization, that is, cutting out all unnecessary data they collect from customers and/or citizens.
2. Then assess and update your data collection and user consent policies, keeping in mind exceptions in regulations that may apply.
3. Employ a data protection officer (DPO), and ensure a line of communication between the DPO and the data subjects for any concerns (like requests to be deleted from any database).
4. Update cybersecurity solutions and security policies. When talking about data, the GDPR says that organizations should take “appropriate technical and organizational measures” to ensure security in storage and processing.
The regulation says that organizations should take the “state-of-the-art” into consideration for security, so top-tier security solutions should come into play.
5. If you process data, maintain a comprehensive record of activities. The GDPR specifies that organizations need to identify and keep a record of details like: where personal data is being processed, who is processing it, and how it is being processed.
6. Review service providers or vendors — anyone who processes your data. They should also be compliant with the GDPR. Any agreement between you and your suppliers should be updated to address commitments to compliance and personal data privacy.
7. There are stricter rules and bigger fines for those who do not properly report breaches — for both controllers and processors. Keep reporting policies up-to-date and perform run-throughs of potential breach situations.
This list is not exhaustive but is a good start for organizations.
Member States of the European Union have additional duties: 1.They must install a Supervisory Authority, which is responsible for monitoring and enforcing the application of the regulation, as well as other tasks. 2.They also have to fill in a lot of legal blanks. The GDPR leaves a lot of room for governments to add specific restrictions or exceptions. The regulation describes the minimum requirements and Member States can further determine limitations or exceptions.
With more personal data comes more responsibility. All in all, an organization must keep privacy in mind when designing data management policies and procedures. Public organizations may be focused on delivering services quickly and efficiently, but taking into consideration the current threat landscape, security has to be a top priority. More efficient and secure data management is invaluable for any organization, especially when public interest is at stake — and especially in today’s connected and data-driven world.