Data and securityCyber SecurityQ&A: GDPR – an opportunity to build trust

Q&A: GDPR - an opportunity to build trust

Simon Merrick, managing consultant at Agilisys, discusses why GDPR is an opportunity for the public sector to build trust among citizens and positively enhance service provision

Simon Merrick, managing consultant at Agilisys, discusses why GDPR is an opportunity for the public sector to build trust among citizens and positively enhance service provision

What can public sector organisations do ahead of the May deadline to ensure they’re ready for GDPR?

The less obvious answer is to think beyond May!

I think it’s going to be chaotic over the next five months – the media will fan the flames, no doubt – and that works two ways. It will help in terms of raising awareness, but what it’s also going to do is tell everyone that the GDPR is out there and we can go and exercise our rights.

In terms of what organisations need to do to respond, they’ve got to look at their processes and procedures they have in place for managing subject access requests and being able to deal with citizens and data subjects that want to exercise their rights.

However, let’s put that into perspective. We already have a lot of these rights under the current Data Protection Act. The Subject Access Request – we can all do that today, although very few of the electorate actually do. What’s changing is that you won’t have to pay for it and the timeframe for an organisation to respond to you is now 1 month instead of 40 working days. I don’t think that is the big challenge – the challenge is the media hype, that it will make people aware and increase volume, because every man and his dog will go, “oh great, can you tell me what data you’re holding?” or “I object to you processing my data, what are you going to do about it”.

The public sector will have to marshal its resources, so they can turn around and know when to say, “we accept your right to object, but we reject your right because we’re processing your data because we collect this data under the legitimacy of delivering a public task”. That’s a lot of training for customer call agents and administrative staff to know what to say and do. They need to be aware, organised and ready to manage and track the requests.

However, I personally think that the initial high volume in these sorts of requests will be a very short-term thing and the media will move on to something else after May. I therefore see the volume of work on the customer interaction side dropping off.


That, therefore, opens the question of what next? What happens once the media interest tails off?

The wrong attitude is to see this as another boring compliance tick-box exercise all done and dusted by 25 May 2018. The right attitude is about really understanding and applying the principles which the GDPR is trying to drive.

I was just reading this morning about Facebook’s new and shiny privacy policy which it’s rolling out to the EU. Facebook, like many organisations, is very good at packaging and simply re-spinning what GDPR is saying – but words on a privacy notice are not enough.

The essence is here; how does an organisation want to build long term and enduring trust with its customers? You can’t do that with a tick-box exercise. Yes, you can untick that consent box on your website, but that doesn’t mean you are compliant in the spirit of GDPR, and I think organisations and their CEOs have got to step back and consider this much bigger question. In the case of the public sector, citizens don’t really have a choice, we’re not really customers who choose to engage, so the meaning of trust and how it’s won and retained is going to be different from that of a commercial organisation.


Do you think councils can use GDPR as a way of enhancing their service?

I think so, so long as they don’t place responsibility for compliance with GDPR solely within the office of the Data Protection Officer (DPO) or the Compliance Manager.

Yes, you need to have a DPO, because you’re a public sector organisation, but they should be sitting next to and talking with your CIO or Transformation Director within the senior leadership team.

From my own personal experience in running GDPR compliance projects, the biggest challenge is making the case for the changes organisations need to make in how they think about data privacy. Not just at a mechanical data awareness level, but at that deeper “how do we want to engage with people” level.

So, for example, we’re talking to HR and sales and marketing teams about the privacy notices they have. It’s all quite technical and methodical. But my question to them is, what level of trust do you want to create with the employees that work for us and how do you want that trust to work? How do you want to talk to new business prospects?

These are not new questions, but GDPR is now driving a privacy angle that hasn’t really featured in conversations before. They aren’t questions the data protection officer is going to answer – it requires someone in transformation thinking about customer contact and engagement, and it needs the HR director thinking about how we can support employees better and build a trust level that shouts they have their employees’ best interests at heart, not just profits.


Is it fair to say that GDPR could be the encouragement councils need to crack on with their digital journeys?

Yes and no. I say yes because deadlines drive action and a greater focus on the better use of technology and data is the direction of travel. GDPR has the potential to be that catalyst. But, we also must respect that GDPR isn’t all about digital – it’s about data everywhere on any medium – there’s still a large population of non-digital users. GDPR affects all of us.

I also say no. Councils need several things to be true to use GDPR to drive a clear out of old and redundant behaviours and data and bring in some breathing space for our overworked services.

Three key elements that need to be in place are a senior leadership team that puts data privacy and digital transformation in the same sentence at the top table. That’s a change in mindset right there. They need an existing culture and staff base that already respects and understands the value of digital information – that’s take time if the culture and organisation isn’t already in place. Finally, they need the breathing space to come up with the ideas, innovation and wherewithal to plough that digital path – and that sometimes needs external support which may not be within the appetite of the organisation.


How does that extend from the authorities to the companies that they work with?

Much like the local government data security landscape is no longer confined by the perimeter of the council buildings, its data privacy landscape extends from the moment personal data is received by the council to the point that it is deleted and crucially all the sharing points with suppliers that takes place in between.

Commercially, it’s important that councils work with their suppliers and supply chain to ensure that they share their understanding of GDPR within the contract, but also to ensure a mutual understanding and respect for data privacy. Any organisation, service or product that appears not to demonstrate this understanding should be scrutinised closely. This is partly a data collection exercise but it’s also a relationship exercise and councils should take a close look at their key suppliers and not just take the easier ‘tickbox’ path of sending out a questionnaire or request a statement. It’s all about trust and managing risk.

The government very helpfully put out some advice at the back end of December, advising public sector organisations to go and talk to their suppliers and have helpfully provided some clauses that they can give to their suppliers to help them at least commercially, to step up to the new regulations.


If you could sum up what public sector organisations need to do in three key points, what would they be?

Firstly, if you’ve got a data protection officer, don’t keep them in their office. Pull them into the boardroom on an ongoing basis and have them metaphorically sitting next to your head of transformation, CIO and head of security.

Secondly, spend time with your supply chain. Whilst it feels intuitive to focus on the suppliers you spend the most with, make sure you also take a privacy risk perspective too. Your weak point might be that supplier you spend just a £1000 a year with. Don’t just give them an agreement and tell them to sign it. Sit with them and work with them, make sure that they understand and share the same value of data privacy and security that you do. And for suppliers that don’t get it, get rid. Work with suppliers that share your values.

Thirdly, and most importantly, think about how you are going to build that trust with your citizens, who may or may not have a choice whether they transact with you or not.

These three points, when tied together, will help organisations to positively embrace the spirit of GDPR – and that’s got to be better than purely seeing it as another needless box-ticking exercise.

Related Articles

Government and tech industry hold roundtable on IoT security

Cyber Security Government and tech industry hold roundtable on IoT security

3y Jay Ashar
New Army cyber operations centres for MOD

Cyber Security New Army cyber operations centres for MOD

3y Jay Ashar
Competing priorities biggest roadblock to cybersecurity

Cyber Security Competing priorities biggest roadblock to cybersecurity

3y Jay Ashar
Cybersecurity is a market for lemons

Cyber Security Cybersecurity is a market for lemons

3y Bernard Parsons
Compulsory cyber awareness training for Cardiff council staff

Cyber Security Compulsory cyber awareness training for Cardiff council staff

3y Jay Ashar
UK government to assess the cyber security capability landscape

Cyber Security UK government to assess the cyber security capability landscape

3y Jay Ashar
New capability to help organisations fight cyber threats

Cyber Security New capability to help organisations fight cyber threats

3y Jay Ashar
Room for more cybersecurity over and above GDPR

Cyber Security Room for more cybersecurity over and above GDPR

3y Jay Ashar