The public consultation process involves collecting and processing participants' personal data. A breach of the GDPR during a public consultation can result in severe fines of up to £17.5 million. Preventing these fines requires a proactive and accountable approach to data protection from the outset of the consultation design process. In this guide, we discuss the procedures required to manage this data in compliance.
By following the guidance outlined here, including using consultation management software, organisations can mitigate the risk of data breaches, uphold public trust, and, crucially, prevent significant fines imposed by the data protection regulator.
UK GDPR (General Data Protection Regulation) is the data protection law that governs how personal data of individuals in the UK is collected, used, stored, and protected. The UK GDPR sets out key principles for lawful and transparent data processing, requiring organizations to have a clear purpose for collecting personal data and mandating appropriate security measures to prevent misuse or breaches. It also grants individuals specific rights over their personal data, including the right to access, correct, and challenge how their data is processed.
The regulation applies to all UK-based organisations, as well as to non-UK organizations that offer goods or services to people in the UK or monitor their behaviour. It operates alongside the Data Protection Act 2018, which provides the UK's wider data protection framework.
Data subject rights under UK GDPR are the rights granted to individuals over how their personal data is collected, used, and processed. Individuals have the following rights:
Effective data protection compliance begins when planning a public consultation. The planning phase is critical for establishing a solid, accountable foundation that minimises the risk of UK GDPR non-compliance and fines.
The first step in planning is understanding precisely what data you're dealing with. A data mapping exercise involves identifying:
Documenting this data flow provides clarity, helps identify risks, and informs subsequent decisions on security measures and retention periods. Using dedicated platforms like Jambo streamlines data mapping and auditing by centralising all your consultation information in one place. The consultation management software not only makes it easier to track what data is collected, how it's stored, and who can access it, but also enhances transparency and compliance across your data management processes. This enables teams to map and audit their data efficiently, significantly reducing manual effort and the risk of oversight.
Under the UK GDPR, you can't process personal data without a valid legal basis. For public authorities conducting consultations as part of their official functions, the most common and appropriate basis is "public task". Public task basis applies when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
You must clearly document your chosen legal basis internally and state it explicitly in your privacy notice. Jambo can help facilitate this process by ensuring that your legal basis for data processing is clearly recorded and easily accessible for both internal reference and compliance purposes.
A Data Protection Impact Assessment (DPIA) is a risk management tool that helps identify and mitigate data protection risks before processing begins. A DPIA is mandatory whenever data processing is "likely to result in a high risk" to individuals' rights and freedoms. It assesses the necessity and proportionality of the processing, identifies and evaluates risks, and defines measures to mitigate those risks. We recommend appointing a Data Protection Officer to guide your organisation through this process to ensure data compliance.
Consultations often trigger the need for a DPIA, especially if:
Jambo SRM software can simplify the DPIA process by providing clear records of what data is being collected, how it is stored and managed, and who has access to it. This transparency makes it easier to assess risks and demonstrate compliance throughout your public consultations.
Transparency is a core principle of the UK GDPR. A privacy notice is a way to communicate your data practices to participants in clear, plain language. Ensure it's accessible by having a clearly labelled link on the consultation webpage or at the beginning of the survey.
Your privacy notice must include specific information, including:
How many data protection principles are there? The UK GDPR sets out seven foundational principles, and they include:
All data processing must be lawful, meaning it must have a clear and valid legal basis for collecting and using participants' data. For fairness, organisations or departments must avoid using individuals' data in any way that may be intrusive or detrimental to them. To be transparent, it's essential to provide a clear, concise, and accessible privacy notice at the point of data collection, explaining who you are, why you need the data, and what you will do with it.
Collect data for specified, explicit, and legitimate purposes. When conducting a consultation, the primary objective is to gather opinions to inform a specific decision, such as implementing a new policy or launching a community project. The personal data collected for that consultation cannot be subsequently used for a different, unrelated purpose, such as adding participants to a general marketing database or an unrelated departmental mailing list, without a new, explicit legal basis or fresh consent. Ensure the scope of data use is clearly defined in the planning stages and adhered to.
Ensure the data you're collecting is what you need to achieve your specific consultation purpose. This principle requires a critical assessment of every piece of data requested on a consultation form. Do you genuinely need a person's full name, home address, or specific demographic data to analyse their policy input? In many cases, organisational names or anonymous responses might be all you need. Only collect data that is adequate, relevant, and strictly limited to what is necessary.
Take reasonable steps to ensure the personal data is accurate and, where necessary, kept up to date. While participants are responsible for the accuracy of their initial submission, it's essential to provide an easy mechanism for them to update their contact details or correct errors in their response during the consultation period. Processes should be in place to promptly address challenges to the accuracy of the data you store.
Avoid keeping personal data in an identifiable form for longer than is necessary for the purposes for which it was collected. This is a key area for potential non-compliance. Before launching a consultation, establish a clear, documented data retention schedule. Determine precisely when the data is no longer needed (e.g., six months after the consultation report is published and responses have been analysed) and ensure that secure deletion or anonymisation processes are implemented at that time.
You must ensure that the personal data you are processing is protected against unauthorised or unlawful processing, as well as against accidental loss, destruction, or damage. This principle requires implementing robust technical and organisational measures, such as using secure, encrypted online consultation survey platforms or stakeholder consultation software, strong passwords, access controls, and data encryption both during transit and at rest.
Human error remains a leading cause of data breaches. There is a need for staff training on secure data handling, clear internal policies on who can access consultation data, and physical security measures for any paper records. Comprehensive training ensures that all staff understand their responsibilities. Some training to invest includes:
Government teams face increasing pressure to handle public and community consultation and engagement data securely, transparently, and in accordance with legal requirements. Utilising a secure consultation software such as Jambo can significantly enhance UK GDPR compliance by integrating best practices directly into day-to-day workflows.
A consultation software provides security controls that are challenging to implement using spreadsheets, email inboxes, or shared drives. These robust protections directly support the UK GDPR's principles of integrity and confidentiality:
One of the most significant risks in conducting a secure public consultation is data fragmentation, where information is scattered across platforms such as email, spreadsheets, documents, and shared folders. This increases the likelihood of losing track of personal data, making GDPR compliance significantly more challenging.
A secure consultation software like Jambo SRM software centralises all:
This single source of truth minimises unmanaged data sprawl, avoids duplication, and ensures your team always knows precisely what data it holds and why.
Freedom of Information (FOI) requests often require retrieving all information your organisation or department has on file for a person, such as contact information, consultation submissions, engagement records, and correspondence. When data is scattered across multiple systems, responding within legal time limits is slow, inconsistent, and risky.
A secure SRM system improves FOI readiness through:
| GDPR UK principle | How consultation software helps |
| Storage limitation | Access to all data in one place makes it easier to abide by defined data retention rules |
| Accuracy | Centralised records reduce duplicate entries and outdated data. |
| Integrity and confidentiality | RBAC, encryption, and MFA protect data from unauthorised access and misuse. |
| Accountability | Full audit logs and consistent workflows provide demonstrable proof of compliance. |
Selecting stakeholder consultation software for your public consultations
Many organisations and government teams use dedicated software, such as stakeholder consultation software, to efficiently manage their public consultation information. This technology can support compliance, but it introduces third-party risk that must be managed during procurement:
Procurement checklist: The software provider must be compliant with the UK GDPR and have a data processing agreement (DPA) in place. Their security certifications should be verified.
Data Location: To avoid international data transfers that may render you non-compliant with the UK GDPR, verify that data is hosted within the UK or the European Economic Area (EEA). Data should always remain within the data hosting area. Some SRMs that use third-party integrations cannot guarantee this.
Security features: Assess critical protections for public data, including encryption (at rest and in transit), multi-factor authentication (MFA), and role-based access controls (RBAC).
Jambo is compliant with UK GDPR, holds all necessary security certifications, hosts data within the EEA, and offers security features including encryption, MFA, and RBAC.
Discover how Jambo helped a UK government organisation save 350 hours a month in stakeholder reporting: