Should governments think twice about trying to legislate away GDPR compliance for themselves?
The Swedish government is in chaos after a serious data protection breach.
Read our latest blog on how implementing full GDPR compliance will mitigate risks to the politicians themselves.
There has been much comment and coverage lately on how the Irish government are proposing to exempt public bodies from the significant fines under GDPR, if they breach data protection rules. The Irish Data Protection Commissioner, Helen Dixon, has publicly expressed her ‘serious concerns’ about such proposals. Her office sees “no basis on which public bodies or authorities would be excluded, particularly given that arguably higher standards in the protecting of fundamental rights are demanded of those entities.”
However, the news from Sweden over the last week of a serious data breach means that the fines associated with GDPR might be of much less concern to politicians and senior government figures, than the prospect of major data protection issues damaging their own political careers.
In this case, the Swedish government has now sought urgent assurances on data security from national agencies including the health, education and pensions services after a huge leak of private and sensitive information that has cost two ministers their jobs.
Several ministers had known about the breach, which followed a botched 2015 data outsourcing contract between the national transport agency and IBM Sweden, for at least 18 months but failed to inform the prime minister, media reported.
Besides the entire national driver’s licence database, the records potentially included information on intelligence agents, military and police transport and personnel, people with criminal records and those in witness protection programmes, Swedish media have reported.
The problem definitely isn’t one of outsourcing IT systems and processing. There are benefits and disadvantages to any such programme but that’s a separate conversation. With a carefully chosen IT service provider, proper internal data protection processes and adherence to the obligations for data controllers and data processors detailed in the GDPR, there need to be no more risk to using outsourcers than managing everything in house.
In this instance, using Data Protection Impact Assessments, identifying high risk and sensitive data and considering the use of anonymisation or pseudonymisation, along with GDPR compliant contracts defining the roles and responsibilities of both the data controller and processor, would significantly mitigate the risks of a data breach. The GDPR requires new mandatory terms to be imposed on all data processors which will help to alleviate the types of issues highlighted in the Swedish government breach;
- To process data only on the documented instructions from the controller;
- Ensuring that the processor’s staff are committed to confidentiality;
- Taking all appropriate security and organisational measures;
- Sub-contracting only with the prior permission of the controller;
- Assist the controller in complying with its data breach notification obligations;
- To make available to the controller all information necessary to demonstrate compliance with its processing obligations and allow audits to be conducted by the controller;
- Compliance with restrictions regarding cross-border transfers.
Many people have already expressed their concerns as to how the Irish government proposals could significantly dilute the government’s commitment to real data protection. But if government ministers currently think that GDPR compliance for public bodies is too onerous for them and legislating against being fined is an easy way out, perhaps the experience of Swedish government ministers and high ranking government officials might just make them re-prioritise the importance of data protection.
If you would like to discuss how Wizuda can help you avoid email data breaches in your organisation, contact us today.