Most of you will be familiar with the mantra teachers drilled into us at school: fail to prepare, prepare to fail. This mantra could not be more apt for the upcoming General Data Protection Regulation (GDPR).
With the May 2018 looming, the GDPR compliance clock is only getting louder and louder. With just over a year to go, it could be easy for government organisations to be complacent but I would caution against this. GDPR will demand huge changes to organisational, IT Infrastructure and culture that mean compliance will not be a swift or easy undertaking.
Power to the people
GDPR will give people more rights and powers on how their data is used. For instance, citizens will have the ability to request details of all the information held about them by any agency, known as a Subject Access Request (SAR).
Although empowering for the general population, this means government bodies have to put data management at the fore. The challenge is exacerbated by the fact that data management strategies across government are traditionally decentralised, an approach that will need to change in order to comply with a complex piece of regulation geared towards managing the entire privacy lifecycle of data.
Another hurdle that GDPR will bring is the impact of stricter rules on data consent and the sanctions government could face. The maximum fine is set at €20 million and as Whitehall departments are busily trying to cut more costs, a fine this size is likely to cause much anxiety.
Imagine if the recent NHS data loss occurred after GDPR. The NHS, which is already bursting at the seams, would have had to cough up €20 million after losing patients’ sensitive data. Money it doesn’t have to spare.
A plan of action
The question for government is how can it tackle these challenges? To my mind there are five key areas that need to form the basis of a strategic GDPR strategy:
Being transparent with citizens
The recent issue facing Google Deepmind and three hospitals was a big learning curve for Government regarding data consent and one public sector bodies can learn a lot from. The two partnered to detect kidney trouble and were criticised, albeit in a report Google and the hospitals disputed, for a lack of patient consultation. They discovered was it doesn’t matter how good the cause or intention is. People want to know in no uncertain terms where, what and how their data is being used.
For data sharing to become a boon rather than a burden, people need to feel like their data is in capable, safe hands. Therefore an open dialogue between departments and the public is the only way forward as we shift towards an ever-increasing digital world.
On from the need to be transparent, also comes a need for education. As human beings, we don’t trust things we don’t understand. If citizens’ had a better understanding of technology, it would tear down the barrier of understanding data. Therefore, government departments need to educate people on why data innovation is important and what it actually entails.
This could be done through workplace initiatives in private and public sector whereby digital skills courses become mandatory and the bigger picture of data usage is outlined. This education would benefit government departments’ privacy teams in becoming more proactive in scanning for risks and threats and sharing best practices with the rest of the organisation.
A different approach to data
Ultimately, GDPR is going to require a completely different approach than currently exists when it comes to data architecture. Government is going to need to think more strategically about where data is held, in which systems, if the correct user permissions have been applied and inconsistencies eliminated.
To do this, someone needs to have oversight across all departments to ensure a standard approach and reduce the risk of non-compliance. Data officers are already emerging within government, but their role needs to be wider ranging and lines of responsibility clear. Shared resources have not always worked well, but this should not deter the government from establishing a Chief Data Officer.
A problem shared is a problem halved
Talk to your peers. This simple point is often overlooked. Go to networking events and conferences. Discuss and share pain points and find out how other public sector bodies are preparing for GDPR. The amount of knowledge I’ve gained over the years by hearing from others and how they deal with it is immense.
Additionally, there are so many free resources available. For instance, Nesta worked with Camden to benchmark best practice for local governments and have produced a comprehensive report named Wise Council: Insights from the cutting edge of data-driven local government which highlights the best uses of data in UK local council.
These examples include data-informed social workers, open data portals, sensors which tell gritting vans where there is snow and ice, and plastic frogs which record data about damp levels in people’s homes. There is no point reinventing the wheel, see what worked successfully for others and adapt it to your department.
Bring in the experts
As mentioned, GDPR won’t be an easy task. And public sector bodies should acknowledge they don’t have to do it alone, there are many experts who specialise in data management and have the right open source tools to do the heavy lifting in a fraction of the time.
Right now GDPR can feel onerous, but in the long term it will be a win-win. Citizens will be happier and government will not only become more streamlined, but also more dynamic. This is a fantastic opportunity to be more innovative. Broken data has plagued government initiatives for years; GDPR opens the door to a new era of data-driven government. As the saying goes Carpe Diem.
And much like an older sibling, no doubt the public sector will be encouraged to lead by example and be made an example of if they fail to comply.
Aingaran Pillai is CEO and founder of Zaizi and Government Board member for Tech UK