GDPR in the public sector: A Rock and Roll listicle


While the consequences, obligations and fines of up to $20 million (or 4% of worldwide revenue) are keeping many private sector CIOs awake at night and have been widely discussed, GDPR’s far-reaching consequences for the public sector have rarely been highlighted. In a recent white paper, The impact of GDPR on the Public Sector, I put forward the thesis that GDPR offers public sector organisations more leeway than private enterprises for processing data, but that in order to comply to all GDPR obligations by May 2018, the workload for the public sector is vast.

Rather than the usual management summary, I’ve provided a list of five Rolling Stones’ song titles and what we learn from them about GDPR in the public sector. I know it’s only rock and roll, but I think it makes for much nicer reading.

Gimme Shelter

In principle, GDPR applies to all personal data – all information relating to an identified or identifiable natural person, including genetic and biometric data – intended to become part of a “filing system” of EU subjects, independent of the public or private nature of the receiver.

However, with respect to public authorities, not all personal data are the same. For specific areas of public sector activities, broadly related to oversight, crime detection and crime prevention, GDPR does not apply and existing legislation concerning lawful processing remains in force.

You Can’t Always Get What You Want

GDPR strictly describes what constitutes lawful processing of personal data by public authorities. Generally speaking, legal basis is the name of game for public institutions. The “need for consent” is mainly eliminated. Consent is not required for data processing activities of public institutions if the institution can demonstrate that the processing is in the “public interest” and falls within its legal authority.

Beast of Burden

In some respects, the operational burden in implementing GDPR is much heavier for the public sector than for the private sector.

Although GDPR is a regulation and therefore does not need to be translated into national law, it does leave a few blank spaces where member states can introduce more specific requirements. This legal workload will be complemented by a number of practical arrangements that need to be made, such as establishing a supervisory authority, appointing data protection officers, informing data subjects and integrating data protection impact assessments.

Get Off of My Cloud

Data Protection Impact Assessments (DPIA) are an analysis of the risk of non-compliance to GDPR and will become standard procedure during the implementation of all processes “likely to result in a high risk to the rights and freedoms of natural person,” in particular using new technologies such as cloud.

For public authorities that process lots of personal data, this entails a new way of preparing to implement almost any significant new technology or ICT project. Public sector institutions therefore will need to revamp their project methodologies and data protection culture.

Down the Road Apiece

Public authorities, semi-public companies, public agencies will all need to come to terms with the new requirements and all procedures will need to be reassessed from the GDPR perspective. In the white paper, a to-do list is included. Let’s get to work!

Simon Nichelson headshotSimon Nichelson is a public sector business analyst at DXC technology. He holds master degrees in European politics and policies, modern history and philosophy. You can follow him on Linkedin.



Lemons, silos and trust issues: How to turn GDPR into lemonade


  1. […] GDPR in the public sector: A Rock and Roll listicle […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.