Government can use GDPR to be more proactive about data

This week, the General Data Protection Regulation (GDPR) comes in to force. This has been heralded by Elizabeth Denham, the Information Commissioner, as “the biggest change to data protection law in a generation”.

The new rules place obligations on any organisation that handles the personal information of EU residents, and will continue to apply after Brexit thanks to the Data Protection Act 2018, which recently gained Royal Assent.

In its response to these new regulations, government should avoid being purely reactive – doing only what is necessary to ensure compliance. Instead, government should recognise the value of the data it holds, and should seek to unlock its potential in the process of making GDPR-related changes.

Government making better use of data will deliver benefits to the public

Effective use of data has the potential to transform how government operates, improving the quality of public services while reducing the cost to taxpayers. In a speech at Jodrell Bank this week, the Prime Minister spoke of an ambition to “use data, artificial intelligence and innovation to transform the prevention, early diagnosis and treatment of diseases like cancer, diabetes, heart disease and dementia by 2030”. John Manzoni, the Chief Executive of the Civil Service, has also spoken of the benefits of big data in government, noting how “the Home Office Child Abuse Image Database has transformed the investigation of child abuse crimes and child protection…(making) the investigation and prosecution of these appalling crimes vastly more effective”.

With pressures building in key public services, it will be vital for government to realise the opportunities offered by data. But this will not happen unless government is more proactive about how it uses data. Too often still, the quality of government data is poor, hindering the ability to use data to inform decisions. This means that a valuable asset is going to waste.

Becoming compliant with GDPR will require significant effort across government

New GDPR rules will mean that (among other things):

• Organisations that process personal data must have a specific basis for doing so (the Information Commissioner’s Office has outlined what the six lawful bases for processing data).
• Processing of data must be "targeted and proportionate", and data should not be held longer than is necessary.
• Individuals will have the right to access a copy of all the personal data an organisation holds about them, with organisations given 30 days to respond.

To comply with these new requirements, the public sector will have to make significant changes to how it handles personal information, which will come at a cost. There are also risks – for example, if the costs of complying with the new requirements are seen to be too high, some organisations could opt not to collect certain types of data even if it could prove valuable.

But responding to GDPR focusing solely on what shouldn’t be done with data, or by scrambling to do the bare minimum to become compliant, would be the wrong approach for the public sector to take.

GDPR offers government a unique opportunity

People who wouldn’t normally be talking or thinking about data are suddenly doing so (with the number of Google reaches for GDPR recently overtaking those for Beyoncé), and existing processes for managing data – which may have been in place unchallenged for years – are now being examined.

The public sector can make the most of this by taking a strategic approach to any changes they make, consciously thinking about why it collects the data it does, and what benefits the data can offer, and how it can fully realise that benefit.

Individuals’ right to access their own personal data will also require organisations to have reliable systems for identifying all the data they hold, and linked up datasets that allow them to easily extract information when requests are made. Again, however, this can offer advantages beyond compliance with GDPR. For example, at the Department for Work and Pensions, linking datasets across the organisation can allow job seekers to be shown advice and job opportunities that are targeted to their personal profiles.

Every organisation will have to make changes in response to GDPR. They should think strategically about which ones could deliver wider benefits.