The Impact of Privacy on the Public Sector

Data Requests Under GDPR to Push Cost to Public Sector Past £30 million

  • Annual costs to complete requests for personal data reach £20.6m for NHS and £7.9m for local government
  • £2.1m gap will emerge as organisations can no longer charge a fee to complete requests
  • Some 30million requests are expected across public and private sector this coming year, which will cost UK PLC £4.5bn

Newbury, UK, 4 July 2018: New research released today shows that public sector organisations face increased financial pressure as a result of the recently implemented General Data Protection Regulation (GDPR), to the tune of £30million per year. The NHS is expected to be hit hardest by the influx in data requests, given that before the introduction it cost the NHS £20.6million per year to retrieve customer data.

The impact of GDPR doesn’t stop there. Further new guidelines ruling that in most cases an organisation must also complete requests free of charge are an extra blow to budgets. This marks a key change from previous guidelines under the 1998 Data Protection Act (DPA), which allowed a processing fee to be charged. As such, a £2.1m gap in income per year is expected to emerge.

The detail behind the numbers:

The figures are the result of an extensive Freedom of Information (FOI) Act request made by Exonar, a leading provider of GDPR data mapping and data inventory solutions, to 458 organisations, including NHS Trusts (206), local government (125), central government (61) and emergency services (66) from across the UK.

The FOIs asked for the number of subject access requests (SARs) received by the organisation in 2014, 2015, and 2016* and the cost of processing each SAR.

On average, a SAR cost £145.46 to process, though some bodies admitted it costs much more, sometimes running as high as £1,800 such was the complexity of finding data and the associated administration. Multiplying the average cost to complete a SAR with the number of SARs received by the respondents in 2016 (209,023), results in a total administration cost to the public sector of £30.4 million.

Each organisation could previously have recouped some of the cost and charged a recommended £10 fee to complete a SAR but under GDPR they will no longer be able to, resulting in a £2.1m deficit that is set to grow wider as more requests are made.

NHS will be hit hardest

The study found that on average each NHS Trust already receives 800 requests per year. Multiplying this by the average cost of processing SARs and then by the 241 Trusts in the UK, the total cost to the NHS of managing SARs stands at £20.6million annually. It’s expected this will only go up as more people become aware of their rights.

In general, the public sector will struggle to meet SAR response deadlines

The GDPR has trimmed the amount of time that organisations have to complete SAR requests from 40 days – as per the 1998 DPA – to one month.

Exonar’s research found that many organisations struggled to meet the deadline for providing answers to its FOI requests (requests must be completed within 20 working days), highlighting the difficulty that many will face complying with requests under the new GDPR requirements.

The time to respond to an FOI varied from one day to 159 days. On average it took 24 days, with the NHS averaging 27, emergency services 21, central government 22 and local government 23 days.

Some Trusts can’t put a figure on the cost of processing a SAR

Some NHS Trusts declined to provide a figure such was the complexity of finding all the data related to a person. One such Trust was Calderdale and Huddersfield NHS Foundation Trust, which though couldn’t provide a figure, highlighted that the costs would include 3 WTE band 2 staff (approx. £16,500 pa each), plus costs such as discs costing £1,044/year, envelopes with an annual cost of £40, and postage costs at £1.48 per patient.

The Trust added that this would be a minimum cost and there are other costs that “cannot be quantified”, such as involvement of management, clinicians, physio and health visitors, finance and even X-ray costs.

Adrian Barrett, CEO and founder of Exonar, said that the variance in time taken to respond demonstrates how complex a task SARs are in the public sector: “The good news is the public sector is taking its responsibility to do a thorough job and find all the data pertaining to a person seriously. However, there’s a heavy process burden, especially when multiple bodies are involved, and the NHS in particular needs an alternative to manpower to trace data if it is to avoid penalties of non-compliance.”

Adrian adds that digital initiatives in the public sector have to be accelerated to relieve the burden on the public purse: “Our estimates on the costs of managing SARs is probably conservative but we do expect an immediate bow wave in response to all the GDPR emails we saw in May and June.

“Because the public now knows about the GDPR they are more likely to raise more SARs, and if there is a sudden wave of requests the public sector will be stretched further. It’s clear that the government needs to take advantage of new technology, particularly artificial intelligence, to help the public sector become more efficient with handling, organising and retrieving its data.”

Local government also hit hard to tune of £7.9million

For local government the cost of managing a SAR stands at £596. With each council receiving around 138 SARs annually, the 418 local government bodies across the UK could expect to see total costs of £7.9million/ year. This number is expected to rise given that between 2014 and 2016 the number of SARs jumped from 15,173 to 17,274.

It’s estimated by Exonar that an average SAR will run to thousands of pages as complete medical histories and the like are produced. It’s a reflection of the situation in the private sector, where a bank provided 2 boxes of paper for a single customer who had banked with them for 25 years.**

Barrett says the total number of SARs could cost UK PLC billions: “We expect 30 million requests to be made this year to private businesses of all sizes and the public sector. If we assume the cost to process a SAR is the same in public and private sectors, then the cost to UK PLC stands at £4.5bn. That’s an extraordinary sum to set against admin that has no value to a company.”

A copy of the full report, which details all the findings and compares NHS, Emergency services, local and central government can be requested here.

Notes to editors
*complete data for 2017 was not available
** A limited scope SAR submitted to a high street bank that a customer had been with for over 20 years generated over 800 sheets paper, enough to fill two DHL boxes. An image showing the results is here.
Additional research related to how the public will react to their new-found data rights is here. It highlights that 57% of UK adults would raise a SAR on companies and public sector organisations once GDPR was explained to them.

About the research
458 public sector organisations responded to FOI requests between September and November 2017. The FOI asked for number of SARs received between 2014-2016 and the cost to complete a SAR. 206 NHS Trusts, 125 local government, 61 central government and 66 emergency services from across the UK completed the request.
Numbers have been calculated by averaging the figures provided by the different sectors to provide sector comparisons in particular for the NHS and local government. There are 418 local government bodies, and 241 NHS Trusts.

About Exonar
Exonar solves a problem common to all organisations and their senior information owners, “I just don’t know what I’ve got”. Exonar finds and fixes an organisations’ information, from databases to documents – instantly and at scale. We use machine learning to understand what’s important, where it is and who has access to it.
Exonar identifies documents containing passwords, customer and confidential information enabling successful governance, risk management, document retention, cyber security and compliance with forthcoming regulations such as GDPR – with ease.
We enable organisations to better organise their information, removing risk and making it more productive and secure. Visit us at exonar.com or follow us @Exonar.

 

CCPA – The Definitive, Easily Searchable Text

In the last 12 months, data privacy has moved from a niche topic to something talked about at almost every corporation’s board meeting.

The EU GDPR, which came into force on May 25th, 2018, covers data held on any EU citizen and enforced new accountability for organizations processing personal data.

With the legislature passing the California Consumer Privacy Act 2018 (AB 375) on June 29th 2018, there are now a similar set of rules governing most organizations holding data on US Citizens.

We’ve now made it easy for you to read the act in full with our easily searchable CCPA text below:

California Consumer Privacy Act

CCPA 2018 Introduction

Section 1

Section 1 This measure shall be known and may be cited as “The California Consumer Privacy Act of 2018.

Section 2

Article A In 1972, California voters amended the California Constuition…
Article B Since California voters approved the right of privacy, the…
Article C At the same time, California is one of the world’s leaders in…
Article D As the role of technology and data in the every daily…
Article E Many businesses collect personal information from…
Article F The unauthorized disclosure of personal information and…
Article G In March 2018, it came to light that tens of millions of people…
Article H People desire privacy and more control over their information.
Article I Therefore, it is the intent of the Legislature to further…
Article I (1) The right of Californians to know what personal information is being collected about them.
Article I (2) The right of Californians to know whether their personal information is sold or disclosed and to whom.
Article I (3) The right of Californians to say no to the sale of personal information.
Article I (4) The right of Californians to access their personal information.
Article I (5) The right of Californians to equal service and price, even if they exercise their privacy rights.

Section 3 – Title 1.81.5 CCPA 2017 added toPart 4 of Division 3 of the Civil Code

Law Section 1798.100 Right to Know What Personal Information is Being Collected.
Law Section 1798.105 Compliance with Right to Say No and Notice Requirements.
Law Section 1798.110 Articles (A), (B), (C), (D).
Law Section 1798.115 Articles (A), (B), (C), (D).
Law Section 1798.120 Articles (A), (B), (C), (D).
Law Section 1798.125 Articles (A), (B).
Law Section 1798.130 Articles (A), (B), (C).
Law Section 1798.135 Articles (A), (B), (C).
Law Section 1798.140 Articles (A), (B), (C), (D), (E)…(Y).
Law Section 1798.145 Articles (A), (B), (C), (D), (E)…(J).
Law Section 1798.150 Articles (A), (B), (C).
Law Section 1798.155 Articles (A), (B), (C), (D).
Law Section 1798.160 Articles (A), (B).
Law Section 1798.175 This title is intended to further the constitutional right…
Law Section 1798.180 This title is a matter of statewide concern and supersedes…
Law Section 1798.185 Articles (A), (B).
Law Section 1798.190 If a series of steps or transactions were component parts…
Law Section 1798.192 Any provision of a contract or agreement of any kind that purports…
Law Section 1798.194 This title shall be liberally construed to effectuate its purposes..
Law Section 1798.196 This title is intended to supplement federal and state law, if permissible…
Law Section 1798.198 Articles (A), (B).

Section 4

Article (A) The provisions of this bill are severable. If any provision of this bill or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

Exonar is Hiring – Senior Software Developer

Key Responsibilities


  • Working within the small engineering team you will be a seasoned (Java) Developer responsible for all aspects of day-to-day development; from developing new features, improving performance of our machine-learning components, to mentoring junior developers and engaging with front-of-house.
  • Your full stack experience will enable you to be writing Java code one day, and then plumbing it in to some Python code the next day
  • Writing modular, well tested code that remains easy to maintain as the codebase and business continues to scale
  • Understanding and applying industry best practices and ensuring your code can scale to processing billions of documents
  • Ensuring code quality via code review, automated testing and pair programming as required

Requirements


  • Technical degree or similar
  • Expert Java developer with years of enterprise or quality code development under your belt
  • Familiarity with git
  • Significant exposure to API design, service development, enterprise development patterns and messaging technologies
  • Comfortable in a linux environment
  • Experience working with some (ideally all, but we can bring you up to speed!) of the following technologies: HBase, ElasticSearch, Cassandra, RabbitMQ, Postgres, Scala, Python, Javascript/node.js
  • Familiarity with automation and build tools (Jenkins/ANT/Maven etc)
  • A “can-do” startup attitude and capability of bootstrapping internal projects and seeing them through to completion
  • You like clean code. The number of WTFs in your code is low
  • Familiarity with container based deployment

Background


  • Exonar is a small software company with a product which crawls and indexes the content of large unstructured data stores to make information reportable and searchable. The product is deployed in large programmes from Cyber Breach and privacy to Cloud Migration. Demand for the product is increasing dramatically in light of European Data Protection Regulation and therefore the pace of change is fast and flexible.
  • Its a small team so you may do everything from lead a key development to documenting the infrastructure

The culture at Exonar


  • Regular company BBQ’s and social events
  • Fortnightly hackathons
  • Regular meetup group hosted on site
  • Espresso Machine/Beer Fridge/Soft drinks
  • Small office on the side of the canal in picturesque Newbury
  • Your choice of hardware
  • Flexible working

 

Applications should be sent with covering letter to ben@exonar.com