GDPR is for Public Sector Organizations Too
I’ve talked to many public sector customers over the past few months as I traveled around Europe to meet them. One of the hottest security and compliance related topics that customers want to discuss is the General Data Protection Regulation (GDPR). On May 25, 2018, GDPR came into force. This new regulation raises the minimum bar where personal data protection is concerned.
One of the biggest potential misunderstandings I’ve encountered when discussing GDPR with customers is that it doesn’t apply to public sector organizations. In reality, many public sector organizations need to comply with GDPR. The reason for the confusion among some organizations is simple – GDPR is complicated. If there’s any doubt whether your organization needs to comply with GDPR, please consult a legal professional.
The GDPR is 88 pages long. In those 88 pages, the words “public authority” and “public authorities” are written 49 times. Examining the context where these words are used gives us a clearer picture of how GDPR applies to public sector organizations. Here are some excerpts that help.
In this example, GDPR acknowledges that public authorities make use of personal data, just like the private sector.
“(6) …The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities.”
GDPR outlines a model that references “controllers” and “processors” of personal data, and deems them responsible for protecting personal data in their respective roles. The regulation clearly states that public authorities can play these roles.
“(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;”
GDPR even contemplates that public authorities could be subject to fines for violation of the regulation.
“(150) …It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines. Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.”
Yet, GDPR explicitly does not apply to processing of personal data by public authorities in some contexts, such as criminal prevention, investigation and prosecution.
“The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. This Regulation should not, therefore, apply to processing activities for those purposes.”
The application of GDPR to the processing of personal data by public authorities is context dependent, and public sector customers will need to individually assess the applicability of GDPR to their activities. As the Vice President of AWS Security Assurance recently wrote in a blog post titled Tips for Success: GDPR Lessons Learned, “The most important single partner in solving GDPR is your legal team. Having non-legal people make assumptions about how to interpret GDPR for your unique environment is both risky and a potential waste of time and resources. You want to avoid analysis paralysis by getting proper legal advice, collaborating on a direction, and then moving forward with the proper urgency.”
A post by Tim Rains, Security & Compliance Leader for EMEA, Amazon Web Services