The public consultation process involves collecting and processing participants' personal data. A breach of the UK GDPR during a public consultation can result in severe fines of up to £17.5 million. Preventing these fines requires a proactive and accountable approach to data protection from the outset of the consultation design process. In this guide, we discuss the procedures required to manage this data in compliance.
By following the guidance outlined here, including using consultation management software, organisations can mitigate the risk of data breaches, uphold public trust, and, crucially, prevent significant fines imposed by the data protection regulator.
What is GDPR UK?
GDPR UK (General Data Protection Regulation) is the UK's data protection law that governs how personal data of individuals in the UK is collected, used, stored, and protected. It's the UK version of the EU GDPR, retained in domestic law after Brexit, and has been in force since January 1, 2021.
The UK GDPR sets out key principles for lawful and transparent data processing, requiring organisations to have a clear purpose for collecting personal data, and mandates appropriate security measures to prevent misuse or breaches. It also grants individuals specific rights over their personal data, including the right to access, correct, and challenge how their data is processed.
The regulation applies to all UK-based organisations, as well as non-UK organisations that offer goods or services to people in the UK or monitor their behaviour. It operates alongside the Data Protection Act 2018, which provides the UK's wider data protection framework.
What are the data subject rights under UK GDPR?
Data subject rights under UK GDPR are the rights granted to individuals over how their personal data is collected, used, and processed. Individuals have the following rights:
-
Right to be informed: Individuals have the right to know what personal data is being collected, the purpose of collection, how long it will be stored, and whether it will be shared with third parties.
-
Right of access: Individuals can submit a Data Subject Access Request (DSAR) to obtain a copy of the personal data an organisation holds about them.
-
Right to rectification: Individuals have the right to request corrections to inaccurate or incomplete personal data.
-
Right to erasure: Individuals may request that their personal data be erased in certain circumstances, such as when the data is no longer necessary or has been unlawfully processed.
-
Right to restrict processing: Individuals can ask an organisation to limit how their personal data is processed.
-
Right to data portability: Individuals have the right to receive their personal data in a structured, machine-readable format and transfer it to another organisation.
-
Right to object: Individuals can object to the processing of their personal data when it is based on legitimate interests or carried out in the public interest or under official authority.
-
Rights related to automated decision-making and profiling: Individuals have the right not to be subject to decisions based solely on automated processing, including profiling.
Steps to prevent UK GDPR fines during a public consultation
Effective data protection compliance begins when planning a public consultation. The planning phase is critical for establishing a solid, accountable foundation that minimizes the risk of UK GDPR non-compliance and fines.
1. Conduct data mapping and documentation
The first step in planning is understanding precisely what data you're dealing with. A data mapping exercise involves identifying:
-
What personal data will be collected (names, email addresses, political opinions, organisational roles)
-
How will the data be collected (online form, email, paper submission, stakeholder consultation software)?
-
Where will it be stored (specific servers, third-party software databases, departmental shared drives)?
-
Who will have access to the data (policy team members, analysts, IT support, external consultants)?
Documenting this data flow provides clarity, helps identify risks, and informs subsequent decisions on security measures and retention periods. Using dedicated platforms like Jambo streamlines data mapping and auditing by centralising all your consultation information in one place. The consultation management software not only makes it easier to track what data is collected, how it's stored, and who can access it, but also enhances transparency and compliance across your data management processes. This enables teams to efficiently map and audit their data, significantly reducing manual effort and the risk of oversight.
2. Identify a lawful basis for processing
Under the UK GDPR, you can't process personal data without a valid legal basis. For public authorities conducting consultations as part of their official functions, the most common and appropriate basis is "public task". Public task basis applies when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
You must clearly document your chosen legal basis internally and state it explicitly in your privacy notice. Jambo can help facilitate this process by ensuring that your legal basis for data processing is clearly recorded and easily accessible for both internal reference and compliance purposes.
3. Conduct a Data Protection Impact Assessments (DPIAs)
A Data Protection Impact Assessment (DPIA) is a risk management tool that helps identify and mitigate data protection risks before processing begins. A DPIA is mandatory whenever data processing is "likely to result in a high risk" to individuals' rights and freedoms. It assesses the necessity and proportionality of the processing, identifies and evaluates risks, and defines measures to mitigate those risks. We recommend appointing a Data Protection Officer to guide your organisation through this process to ensure data compliance.
Consultations often trigger the need for a DPIA, especially if:
-
You're collecting special category data (e.g., health data, political opinions, race, religious beliefs).
-
Using new technologies such as AI or large-scale monitoring
-
You're processing sensitive data such as health or biometrics
-
You're processing personal data on a large scale
Jambo SRM software can simplify the DPIA process by providing clear records of what data is being collected, how it is stored and managed, and who has access to it. This transparency makes it easier to assess risks and demonstrate compliance throughout your public consultations.
4. Create a privacy notice
Transparency is a core principle of the UK GDPR. A privacy notice is a way to communicate your data practices to participants in clear, plain language. Ensure it's accessible by having a clearly labelled link on the consultation webpage or at the beginning of the survey.
Your privacy notice must include specific information, including:
-
Your identity and contact details (and those of your Data Protection Officer).
-
The purpose(s) for processing the data.
-
The lawful basis you are relying on.
-
The categories of personal data being collected.
-
Who the data will be shared with (recipients).
-
Details of any transfers outside the UK/EEA.
-
The data retention period or the criteria for determining it.
-
The data subjects' rights (access, correction, erasure, objection, etc.).
-
Their right to complain to the Information Commissioner's Office (ICO).
What are the core UK GDPR data protection principles?
How many data protection principles are there? The UK GDPR sets out seven foundational principles, and they include:
1. Lawfulness, fairness and transparency
All data processing must be lawful, meaning it must have a clear and valid legal basis for collecting and using participants' data. For fairness, organisations or departments must avoid using individuals' data in any way that may be intrusive or detrimental to them. To be transparent, it's essential to provide a clear, concise, and accessible privacy notice at the point of data collection, explaining who you are, why you need the data, and what you will do with it.
2. Purpose limitation
Collect data for specified, explicit, and legitimate purposes. When conducting a consultation, the primary objective is to gather opinions to inform a specific decision, such as implementing a new policy or launching a community project. The personal data collected for that consultation cannot be subsequently used for a different, unrelated purpose, such as adding participants to a general marketing database or an unrelated departmental mailing list, without a new, explicit legal basis or fresh consent. Ensure the scope of data use is clearly defined in the planning stages and adhered to.
3. Data minimisation
Ensure the data you're collecting is what you need to achieve your specific consultation purpose. This principle requires a critical assessment of every piece of data requested on a consultation form. Do you genuinely need a person's full name, home address, or specific demographic data to analyse their policy input? In many cases, organisational names or anonymous responses might be all you need. Only collect data that is adequate, relevant, and strictly limited to what is necessary.
4. Accuracy
Take reasonable steps to ensure the personal data is accurate and, where necessary, kept up to date. While participants are responsible for the accuracy of their initial submission, it's essential to provide an easy mechanism for them to update their contact details or correct errors in their response during the consultation period. Processes should be in place to promptly address challenges to the accuracy of the data you store.
5. Storage limitation
Avoid keeping personal data in an identifiable form for longer than is necessary for the purposes for which it was collected. This is a key area for potential non-compliance. Before launching a consultation, establish a clear, documented data retention schedule. Determine precisely when the data is no longer needed (e.g., six months after the consultation report is published and responses have been analysed) and ensure that secure deletion or anonymisation processes are implemented at that time.
6. Integrity and confidentiality (security)
You must ensure that the personal data you are processing is protected against unauthorised or unlawful processing, as well as against accidental loss, destruction, or damage. This principle requires implementing robust technical and organisational measures, such as using secure, encrypted online consultation survey platforms or stakeholder consultation software, strong passwords, access controls, and data encryption both during transit and at rest.
7. Organisational measures
Human error remains a leading cause of data breaches. There is a need for staff training on secure data handling, clear internal policies on who can access consultation data, and physical security measures for any paper records. Comprehensive training ensures that all staff understand their responsibilities. Some training to invest includes:
- Targeted training: Offer specialised training tailored to the specific consultation process. Staff should be able to use the chosen software securely, accurately identify personal data, and follow established procedures.
- Recognizing incidents: Staff training can include immediately recognising a potential data breach or a data subject rights request (like a Freedom of Information (FOI) request) and knowing the internal escalation path to the Data Protection Officer DPO or management team.
What is the purpose of data protection in public consultation?
Data protection is essential in public consultation because it ensures that personal data, such as names, contact details, and sensitive information like political opinions or health status, is collected and processed lawfully, transparently, and securely. By requiring strict standards for data minimization, purpose limitation, and the protection of special categories of data, GDPR safeguards participant rights and privacy throughout the consultation process. This not only reduces the risk of misuse or data breaches but also builds public trust, encouraging more genuine and meaningful engagement from citizens.
How consultation software supports UK GDPR compliance during public consultations
Government teams face increasing pressure to handle public and community consultation and engagement data securely, transparently, and in accordance with legal requirements. Utilising a secure consultation software such as Jambo can significantly enhance UK GDPR compliance by integrating best practices directly into day-to-day workflows.
1. Built-in security best practices
A consultation software provides security controls that are challenging to implement using spreadsheets, email inboxes, or shared drives. These robust protections directly support the UK GDPR's principles of integrity and confidentiality:
- Data encryption at rest (when data is stored) and in transit (when data is accessed).
- Multi-factor authentication (MFA) for all users.
- Comprehensive audit trails showing who accessed what data, what was added or changed, and when.
- Role-Based Access Controls (RBAC): RBAC is vital for GDPR compliance. It ensures that only staff who genuinely need access to personal data to perform their role can access it. SRM platforms facilitate this by assigning permissions based on job function. For example, limiting contractors or interns to adding data only, restricting confidential stakeholder notes to consultation managers, or granting FOI officers access to everything for disclosure. This "need-to-know" approach to data management reduces internal breach risk and ensures that privacy is protected by design.
2. Everything in one secure place
One of the most significant risks in conducting a secure public consultation is data fragmentation, where information is scattered across various platforms, including emails, spreadsheets, documents, and shared folders. This increases the likelihood of losing track of personal data, making GDPR compliance significantly more challenging.
A secure consultation software like Jambo SRM software centralises all:
- stakeholder information
- engagement records and notes
- consultation submissions
- follow-up actions
- documents and correspondence
This single source of truth minimizes unmanaged data sprawl, avoids duplication, and ensures your team always knows precisely what data it holds and why.
3. Streamlined FOI readiness
Freedom of Information (FOI) requests often require retrieving all information your organisation or department has on file for a person, such as contact information, consultation submissions, engagement records, and correspondence. When data is scattered across multiple systems, responding within legal time limits is slow, inconsistent, and risky.
A secure SRM system improves FOI readiness through:
- Fast, accurate search and filtering capabilities
- Tags and metadata that link records to specific consultations
- Export tools that support disclosure workflows
- The ability to quickly separate personal from non-personal data
| GDPR UK principle | How consultation software helps |
| Storage limitation | Access to all data in one place makes it easier to abide by defined data retention rules |
| Accuracy | Centralised records reduce duplicate entries and outdated data. |
| Integrity and confidentiality | RBAC, encryption, and MFA protect data from unauthorised access and misuse. |
| Accountability | Full audit logs and consistent workflows provide demonstrable proof of compliance. |
Selecting stakeholder consultation software for your public consultations
Many organisations and government teams utilize dedicated software, such as stakeholder consultation software, to manage their public consultation information efficiently. This technology can support compliance, but it introduces third-party risk that must be managed during procurement:
Procurement checklist: The software provider must be compliant with the UK GDPR and have a data processing agreement (DPA) in place. Their security certifications should be verified.
Data Location: To avoid international data transfers that may render you non-compliant with the UK GDPR, verify that data is hosted within the UK or the European Economic Area (EEA). Data should always remain within the data hosting area. Some SRMs that use third-party integrations cannot guarantee this.
Security features: Assess critical protections for public data, including encryption (at rest and in transit), multi-factor authentication (MFA), and role-based access controls (RBAC).
Jambo is compliant with UK GDPR, holds all necessary security certifications, hosts data within the EEA, and offers security features including encryption, MFA, and RBAC.
