Do as I say, not as I do: The state is failing to comply with its own data regulations

Elliott Haworth
Follow Elliott
Theresa May Seeks Queen's Permission To Form A UK Government
Do as I say, not as I do (Source: Getty)

Following Theresa May’s disastrous showing at the election there wasn’t much for Her Majesty to announce in the Queen’s Speech last week.

However, amid promises to crack down on whiplash claims and something to do with new energy meters, the Head of State also announced data laws “suitable for the digital age”.

This was dressed up as new government action, but what was promised is all too familiar for anyone with an eye on the EU’s approaching General Data Protection Regulation (GDPR).

Indeed, thanks to this EU regulation, the so-called Data Protection Bill would have been enacted into law next year, regardless of Tory electoral success – if one can call it that.

Leaving aside the fact that the government is claiming as their own something that the EU is making them do, the state’s own record on data protection should be examined.

Mere days after the government promoted its shiny new data protection laws, it suffered a data breach in which email accounts belonging to “dozens” of parliamentarians were hacked.

This, it’s worth adding, was but days after the government-backed Cyber Essentials scheme suffered a data breach, and just weeks after the WannaCry attack virtually shut down the NHS.

Indeed, it would appear that state, or state-backed, institutions are likely not compliant with regulations shortly to be imposed by the err... state.

Failure to comply with the GDPR can land a business with a fine of €20m or 4 per cent of global group revenue. Does the same apply to government? There’s certainly no mention of government exemptions in the GDPR text.

For the state to issue itself a penalty would be both amusing and absurd. But let’s be hypothetical for a moment. The NHS budget, stretched as it is, stands at £117.3bn. Disregarding the fact that budgets are distributed between local trusts, as a single entity, following the Wannacry attack, if systems were found to be non-compliant (and I’m told on good authority that they are), then the NHS could be liable to a £4.7bn fine under the GDPR’s penalty structure.

That’s not far off what the NHS budget, in real terms, is due to increase by, by 2020.

It’s quite clear that this will never happen: the government isn’t going to penalise itself. But it raises questions about the infallibility of such regulation.

If the state can’t abide by its own legislation, how can it assert authority over those it governs?

That’s double standards, for certain.

No doubt the GDPR is mostly positive, and long overdue. However, it might pay for our vicar’s daughter PM to recall the Sermon on the Mount. “Do unto others as you would have them do unto you.” Practice what you preach, essentially.

The government is in no position to command that the business world must comply to such high standards, backed by a compliance regime and egregious fines, when its own state of affairs are so very unfitting.

Data protection, privacy, and subsequently security, should be of the highest priority for any modern government. Presently it’s “do as I say, not as I do”. If they can’t get it right, and lead by example, what hope does anyone else have?

Elliott Haworth is business features writer at City A.M.

City A.M.'s opinion pages are a place for thought-provoking views and debate. These views are not necessarily shared by City A.M.

Related articles