The public consultation process involves collecting and processing participants' personal data. A breach of the UK GDPR during a public consultation can result in severe fines of up to £17.5 million. Preventing these fines requires a proactive and accountable approach to data protection from the outset of the consultation design process. In this guide, we discuss the procedures required to manage this data in compliance.
By following the guidance outlined here, including using consultation management software, organisations can mitigate the risk of data breaches, uphold public trust, and, crucially, prevent significant fines imposed by the data protection regulator.
What is public consultation, and its importance?
Public consultations are a common tool for local government and public bodies to involve individuals directly in shaping public policy. Unlike basic opinion polls, they use representative samples and provide participants with balanced information on key issues, encouraging informed deliberation. Methods often include detailed surveys, online exercises, and in-person assemblies, all developed with input from policymakers and diverse advocates to ensure fairness.
The importance of public consultation lies in its ability to make governance more responsive, inclusive, and transparent at the local level. Amplifying the public's voice helps restore trust in local government and gives officials clearer, more accurate insights into their communities' values and priorities. This process also harnesses collective intelligence, reduces bias, encourages consensus, and helps develop public policies that genuinely reflect the needs of local residents.
How to prevent UK GDPR fines during public consultation
Effective data protection compliance begins long before it goes live. The planning phase is critical for establishing a solid, accountable foundation that minimizes the risk of GDPR non-compliance and fines.
1. Conduct data mapping and auditing.
The first step in planning is understanding precisely what data you're dealing with. A data mapping exercise involves identifying:
-
What personal data will be collected (names, email addresses, political opinions, organisational roles)
-
How will the data be collected (online form, email, paper submission, stakeholder consultation software)?
-
Where will it be stored (specific servers, third-party software databases, departmental shared drives)?
-
Who will have access to the data (policy team members, analysts, IT support, external consultants)?
Documenting this data flow provides clarity, helps identify risks, and informs subsequent decisions on security measures and retention periods. Using dedicated platforms like Jambo streamlines data mapping and auditing by centralising all your consultation information in one place. The consultation management software not only makes it easier to track what data is collected, how it's stored, and who can access it, but also enhances transparency and compliance across your data management processes. This enables teams to efficiently map and audit their data, significantly reducing manual effort and the risk of oversight.
2. Identify a lawful basis for processing
Under the UK GDPR, you can't process personal data without a valid legal basis. For public authorities conducting consultations as part of their official functions, the most common and appropriate basis is "public task". Public task basis applies when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
You must clearly document your chosen legal basis internally and state it explicitly in your privacy notice. Jambo can help facilitate this process by ensuring that your legal basis for data processing is clearly recorded and easily accessible for both internal reference and compliance purposes.
3. Use Data Protection Impact Assessments (DPIAs)
A Data Protection Impact Assessment (DPIA) is a risk management tool that helps identify and mitigate data protection risks before processing begins. A DPIA is mandatory whenever data processing is "likely to result in a high risk" to individuals' rights and freedoms. It assesses the necessity and proportionality of the processing, identifies and evaluates risks, and defines measures to mitigate those risks.
Consultations often trigger the need for a DPIA, especially if:
-
You're collecting special category data (e.g., health data, political opinions, race, religious beliefs).
-
Using new technologies such as AI or large-scale monitoring
-
You're processing sensitive data such as health or biometrics
-
You're processing personal data on a large scale
Jambo can simplify the DPIA process by providing clear records of what data is being collected, how it is stored and managed, and who has access to it. This transparency makes it easier to assess risks and demonstrate compliance throughout your public consultations.
4. Create a privacy notice
Transparency is a core principle of the UK GDPR. A privacy notice is a way to communicate your data practices to participants in clear, plain language. Ensure it's accessible by having a clearly labelled link on the consultation webpage or at the beginning of the survey.
Your privacy notice must include specific information, including:
-
Your identity and contact details (and those of your Data Protection Officer).
-
The purpose(s) for processing the data.
-
The lawful basis you are relying on.
-
The categories of personal data being collected.
-
Who the data will be shared with (recipients).
-
Details of any transfers outside the UK/EEA.
-
The data retention period or the criteria for determining it.
-
The data subjects' rights (access, correction, erasure, objection, etc.).
-
Their right to complain to the Information Commissioner's Office (ICO).
Why is GDPR important in public consultation?
GDPR is essential in public consultation because it ensures that personal data such as names, contact details, and sensitive information like political opinions or health status is collected and processed lawfully, transparently, and securely. By requiring strict standards for data minimization, purpose limitation, and the protection of special categories of data, GDPR safeguards participant rights and privacy throughout the consultation process. This not only reduces the risk of misuse or data breaches but also builds public trust, encouraging more genuine and meaningful engagement from citizens.What are the core data protection principles in public consultations?
Compliance with the UK GDPR is based on seven foundational principles that must govern the handling of all personal data during a public consultation. But first, what is UK GDPR? The UK General Data Protection Regulation (UK GDPR) is a regulatory framework that governs most data processing activities in the United Kingdom. The seven foundational principles include:
1. Lawfulness, fairness and transparency
All data processing must be lawful, and this means having a clear and valid legal basis for collecting and using participants' data. For fairness, organisations or departments must avoid using individuals' data in any way that may be intrusive or detrimental to them. To be transparent, it's essential to provide a clear, concise, and accessible privacy notice at the point of data collection, explaining who you are, why you need the data, and what you will do with it.
2. Purpose limitation
Collect data for specified, explicit, and legitimate purposes. When conducting a consultation, the primary objective is to gather opinions to inform a specific decision, such as implementing a new policy or launching a community project. The personal data collected for that consultation cannot be subsequently used for a different, unrelated purpose, such as adding participants to a general marketing database or an unrelated departmental mailing list, without a new, explicit legal basis or fresh consent. Ensure the scope of data use is clearly defined in the planning stages and adhered to.
3. Data minimisation
Ensure the data you're collecting is what you need to achieve your specific consultation purpose. This principle requires a critical assessment of every piece of data requested on a consultation form. Do you genuinely need a person's full name, home address, or specific demographic data to analyse their policy input? In many cases, organisational names or anonymous responses might be all you need. Only collect data that is adequate, relevant, and strictly limited to what is necessary.
4. Accuracy
Take reasonable steps to ensure the personal data is accurate and, where necessary, kept up to date. While participants are responsible for the accuracy of their initial submission, it's essential to provide an easy mechanism for them to update their contact details or correct errors in their response during the consultation period. Processes should be in place to promptly address challenges to the accuracy of the data you store.
5. Storage limitation
Avoid keeping personal data in an identifiable form for longer than is necessary for the purposes for which it was collected. This is a key area for potential non-compliance. Before launching a consultation, establish a clear, documented data retention schedule. Determine precisely when the data is no longer needed (e.g., six months after the consultation report is published and responses have been analysed) and ensure that secure deletion or anonymisation processes are implemented at that time.
6. Integrity and confidentiality (security)
You must ensure that the personal data you are processing is protected against unauthorised or unlawful processing, as well as against accidental loss, destruction, or damage. This principle requires implementing robust technical and organisational measures, such as using secure, encrypted online consultation survey platforms or stakeholder consultation software, strong passwords, access controls, and data encryption both during transit and at rest.
7. Organisational measures
Human error remains a leading cause of data breaches. There is a need for staff training on secure data handling, clear internal policies on who can access consultation data, and physical security measures for any paper records. Comprehensive training ensures that all staff understand their responsibilities. Some training to invest includes:
- Targeted training: Offer specialised training tailored to the specific consultation process. Staff should be able to use the chosen software securely, accurately identify personal data, and follow established procedures.
- Recognizing incidents: Staff training can include immediately recognising a potential data breach or a data subject rights request (like a Freedom of Information (FOI) request) and knowing the internal escalation path to the Data Protection Officer DPO or management team.
How consultation software supports UK GDPR compliance during public consultations
Government teams face increasing pressure to handle public and community consultation and engagement data securely, transparently, and in accordance with legal requirements. Utilising a secure consultation software such as Jambo can significantly enhance UK GDPR compliance by integrating best practices directly into day-to-day workflows.
1. Built-in security best practices
A consultation software provides security controls that are challenging to implement using spreadsheets, email inboxes, or shared drives. These robust protections directly support the UK GDPR's principles of integrity and confidentiality:
- Data encryption at rest (when data is stored) and in transit (when data is accessed).
- Multi-factor authentication (MFA) for all users.
- Comprehensive audit trails showing who accessed what data, what was added or changed, and when.
- Role-Based Access Controls (RBAC): RBAC is vital for GDPR compliance. It ensures that only staff who genuinely need access to personal data to perform their role can access it. SRM platforms facilitate this by assigning permissions based on job function. For example, limiting contractors or interns to adding data only, restricting confidential stakeholder notes to consultation managers, or granting FOI officers access to everything for disclosure. This "need-to-know" approach to data management reduces internal breach risk and ensures that privacy is protected by design.
2. Everything in one secure place
One of the most significant risks in conducting secure consultations is data fragmentation, where information is scattered across various platforms, including emails, spreadsheets, documents, and shared folders. This increases the likelihood of losing track of personal data, making GDPR compliance significantly more challenging.
A secure consultation software like Jambo centralises all:
- stakeholder information
- engagement records and notes
- consultation submissions
- follow-up actions
- documents and correspondence
This single source of truth minimizes unmanaged data sprawl, avoids duplication, and ensures your team always knows precisely what data it holds and why.
3. Streamlined FOI readiness
Freedom of Information (FOI) requests often require retrieving all information your organisation or department has on file for a person, such as contact information, consultation submissions, engagement records, and correspondence. When data is scattered across multiple systems, responding within legal time limits is slow, inconsistent, and risky.
A secure SRM system improves FOI readiness through:
- Fast, accurate search and filtering capabilities
- Tags and metadata that link records to specific consultations
- Export tools that support disclosure workflows
- The ability to quickly separate personal from non-personal data
| GDPR principle | How consultation software helps |
| Storage limitation | Access to all data in one place makes it easier to abide by defined data retention rules |
| Accuracy | Centralised records reduce duplicates and outdated data. |
| Integrity and confidentiality | RBAC, encryption, and MFA protect data from unauthorised access and misuse. |
| Accountability | Full audit logs and consistent workflows provide demonstrable proof of compliance. |
Selecting stakeholder consultation software for your public consultations
Many organisations and government teams utilize dedicated software, such as stakeholder consultation software, to manage their consultation information efficiently. This technology can support compliance, but it introduces third-party risk that must be managed during procurement:
Procurement checklist: The software provider must be compliant with the UK GDPR and have a data processing agreement (DPA) in place. Their security certifications should be verified.
Data Location: To avoid international data transfers that may render you non-compliant with the UK GDPR, verify that data is hosted within the UK or the European Economic Area (EEA). Data should always remain within the data hosting area. Some SRMs that use third-party integrations cannot guarantee this.
Security features: Assess critical protections for public data, including encryption (at rest and in transit), multi-factor authentication (MFA), and role-based access controls (RBAC).
Jambo is compliant with UK GDPR, holds all necessary security certifications, hosts data within the EEA, and offers security features including encryption, MFA, and RBAC.
