GDPR compliance in the public sector

Management

Tara McGeehan at CGI outlines a strategic imperative

Recently the Information Commissioners Office (ICO) disclosed that the majority of General Data Protection Regulation (GDPR) enforcement actions in 2024 were directed at public sector organisations. Of the 31 cases provided by the ICO’s enforcement register, 27 were associated with public bodies, with the remaining four involving private companies.

This naturally raises a question around how organisations can reprioritise and place greater emphasis on data security. By implementing robust strategies and controls to safeguard citizen and employee sensitive information, public leaders can ensure they protect core operations and their organisation’s reputation.

In alignment with the ICO’s findings, recent research from CGI identified that digital sovereignty – the commitment to protecting confidential data – ranked as one of the lower priorities for regional leaders. The study analysed the manifestos of 12 metro mayors, finding that data security only appeared in 50%, significantly lower than other digital pillars like sustainability and transformation.

This suggests that there’s room for leaders to take a more proactive approach to compliance and empower IT teams to embed security strategic planning. Addressing how the public sector can build long-term resilience and deploy a more strategic approach to data governance is critical for the UK.

A culture of preparedness for digital resilience

Public sector organisations must encourage a proactive data protection mindset rather than a reactive compliance approach. This means having a top-down approach with leadership buying-into the mindset that data security is a fundamental operational pillar. Different departments should be encouraged to collaborate when integrating security processes and tools, across all digital initiatives.

Being mindful of GDPR compliance is also essential when considering wider operational functions, such as procurement or third-party contracts.

In tandem with internal initiatives, organisations should explore the use of partnerships to improve their digital resilience. In order to be best prepared, organisations need support and the expertise offered by true partnerships.

The right collaboration will help establish the best approach to address any failings in digital processes and controls. In the same way that local governments are experts at providing the right services for their citizens, they likewise need expertise from data security professionals.

Whilst a proactive approach is critical, so is a reactive plan. This means security teams should develop clear protocols for detecting, reporting, and responding to data breaches. Data teams need to communicate these effectively to wider organisational leaders and departmental managers. These should also be put into practice, with regular incident response testing and reporting on the effectiveness of remediation activity.

AI and emerging technologies for data protection

Innovation should be treated as an ally, and this means building an ethos that values experimentation to find new ways for leaders to be more effective.

Technologies like AI should be treated as an enabler of better data hygiene and compliance but it needs to be implemented responsibly. As an example, security teams can incorporate AI-driven risk detection and automated alerts and utilise the analysis capabilities of AI to classify sensitive data quickly, without breaching governance frameworks.

However, innovative tools are only as effective as the people using them. This means that the workforce is trained through upskilling and reskilling pathways. Users should be immersed in the tools, given thorough support to get to taught how they work, and importantly, empowered to experiment with them to realise their true value. This will help leaders establish which tools are the right fit for their data security needs, whilst maintaining responsible use.

Tapping into partner ecosystems can elevate this further. Leaning on third party expertise to ensure the right and best technology is implemented in ways that maximise their value and protect user data. It means that specialists can be sourced into the organisation, providing targeted guidance and advice to help data security teams get to grips with new technology quickly.

Comprehensive data mapping

In order to protect the data they hold, public sector organisations first need to know what data is collected, where it is stored, and any access arrangements. This requires implementing the right strategies for effective data mapping.

Having clear governance frameworks in place, conducting regular audits to categorise sensitive versus non-sensitive data enables data officers to understand the data they hold. By deploying the right automation technologies, this can be elevated further to seamlessly track public data.

This work needs to be supported by establishing robust risk assessment methodologies. From a risk management perspective, these will help data monitoring teams identify and mitigate vulnerabilities that could expose critical data. This includes standardised data classification and sensitivity analysis so teams can model their threat attack surface, prioritise protecting the right data, and minimise exposure.

A roadmap for data responsibility

Overall, public sector organisations are still prioritising other areas over GDPR compliance. This is natural due to the breadth of core operational and organisational needs, but data resilience is a clear area of development. It’s important for leaders to have control over their sensitive data, and the infrastructure built around it, with long term security strategies.

However, current compliance cannot ever be viewed as a box ticking exercise, which could result in dire future consequences like data breaches.

Public bodies need to find new, more streamlined ways to improve digital sovereignty, whilst balancing other priorities and initiatives. This will require a clear understanding of data mapping, a cultural shift towards preparedness, and the responsible deployment of emerging technologies like AI.

Without taking these important measures, public bodies could risk financial penalties as well as loss of public trust in their ability to safeguard critical data.

Tara McGeehan is President of CGI UK and CGI Australia

Main image courtesy of iStockPhoto.com and :imaginima