The process of public consultation involves collecting and processing personal data from participants. A breach of the UK GDPR during a public consultation can result in severe fines of up to £17.5 million. Preventing these fines requires a proactive and accountable approach to data protection from the outset of the consultation design process. In this guide, we discuss the procedures necessary to manage this data in a compliant manner. By following the guidance outlined here, organisations can mitigate the risk of data breaches, uphold public trust, and, crucially, prevent significant fines imposed by the data protection regulator.
Compliance with the UK GDPR is based on seven foundational principles that must govern the handling of all personal data during a public consultation. But first, what is UK GDPR? The UK General Data Protection Regulation (UK GDPR) is a regulatory framework that governs most data processing activities in the United Kingdom. The seven foundational principles include:
All data processing must be lawful, and this means having a clear and valid legal basis for collecting and using participants' data. For fairness, organisations or departments must avoid using individuals' data in any way that may be intrusive or detrimental to them. To be transparent, it's essential to provide a clear, concise, and accessible privacy notice at the point of data collection, explaining who you are, why you need the data, and what you will do with it.
Collect data for specified, explicit, and legitimate purposes. When conducting a consultation, the primary objective is to gather opinions to inform a specific decision, such as implementing a new policy or launching a community project. The personal data collected for that consultation cannot be subsequently used for a different, unrelated purpose, such as adding participants to a general marketing database or an unrelated departmental mailing list, without a new, explicit legal basis or fresh consent. Ensure the scope of data use is clearly defined in the planning stages and adhered to.
Ensure the data you're collecting is what you need to achieve your specific consultation purpose. This principle requires a critical assessment of every piece of data requested on a consultation form. Do you genuinely need a person's full name, home address, or specific demographic data to analyse their policy input? In many cases, organisational names or anonymous responses might be all you need. Only collect data that is adequate, relevant, and strictly limited to what is necessary.
Take reasonable steps to ensure the personal data is accurate and, where necessary, kept up to date. While participants are responsible for the accuracy of their initial submission, it's essential to provide an easy mechanism for them to update their contact details or correct errors in their response during the consultation period. Processes should be in place to promptly address challenges to the accuracy of the data you store.
Avoid keeping personal data in an identifiable form for longer than is necessary for the purposes for which it was collected. This is a key area for potential non-compliance. Before launching a consultation, establish a clear, documented data retention schedule. Determine precisely when the data is no longer needed (e.g., six months after the consultation report is published and responses have been analysed) and ensure that secure deletion or anonymisation processes are implemented at that time.
You must ensure that the personal data you are processing is protected against unauthorised or unlawful processing, as well as against accidental loss, destruction, or damage. This principle requires implementing robust technical and organisational measures, such as using secure, encrypted online consultation survey platforms or stakeholder consultation software, strong passwords, access controls, and data encryption both during transit and at rest.
Human error remains a leading cause of data breaches. There is a need for staff training on secure data handling, clear internal policies on who can access consultation data, and physical security measures for any paper records. Comprehensive training ensures that all staff understand their responsibilities. Some training to invest includes:
Want your public consultation to have more impact? Learn why you should go beyond online surveys→
Effective data protection compliance begins long before it goes live. The planning phase is critical for establishing a solid, accountable foundation that minimizes the risk of GDPR non-compliance and fines.
The first step in planning is understanding precisely what data you're dealing with. A data mapping exercise involves identifying:
Documenting this flow of data provides clarity, helps identify risks, and informs subsequent decisions about security measures and retention periods.
Under the UK GDPR, you can't process personal data without a valid legal basis. For public authorities conducting consultations as part of their official functions, the most common and appropriate basis is "public task". Public task basis applies when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
You must clearly document your chosen legal basis internally and state it explicitly in your privacy notice.
A Data Protection Impact Assessment (DPIA) is a risk management tool that helps identify and mitigate data protection risks before processing begins. A DPIA is mandatory whenever data processing is "likely to result in a high risk" to individuals' rights and freedoms. It assesses the necessity and proportionality of the processing, identifies and evaluates risks, and defines measures to mitigate those risks.
Consultations often trigger the need for a DPIA, especially if:
Transparency is a core principle of the UK GDPR. A privacy notice is a way to communicate your data practices to participants in clear, plain language. Ensure it's accessible by having a clearly labelled link on the consultation webpage or at the beginning of the survey.
Your privacy notice must include specific information, including:
Government teams face increasing pressure to handle public and community consultation and engagement data securely, transparently, and in accordance with legal requirements. Utilising a secure consultation software such as Jambo can significantly enhance UK GDPR compliance by integrating best practices directly into day-to-day workflows.
An SRM system offers security controls that are challenging to implement using spreadsheets, email inboxes, or shared drives. These robust protections directly support the UK GDPR's principles of integrity and confidentiality:
One of the most significant risks in conducting secure consultations is data fragmentation, where information is scattered across various platforms, including emails, spreadsheets, documents, and shared folders. This increases the likelihood of losing track of personal data, making GDPR compliance significantly more challenging.
A secure SRM system like Jambo centralises all:
This single source of truth minimizes unmanaged data sprawl, avoids duplication, and ensures your team always knows precisely what data it holds and why.
Freedom of Information (FOI) requests often require retrieving all information your organisation or department has on file for a person, such as contact information, consultation submissions, engagement records, and correspondence. When data is scattered across multiple systems, responding within legal time limits is slow, inconsistent, and prone to risk.
A secure SRM system improves FOI readiness through:
SRM software transforms GDPR compliance from a manual burden into an embedded, automated process that supports safe, secure, and transparent public consultation work. By consolidating data, securing access, and enforcing consistent processes, SRM software platforms help organisations adhere to multiple GDPR principles automatically:
| GDPR principle | How SRM software helps |
| Storage limitation | Access to all data in one place makes it easier to abide by defined data retention rules |
| Accuracy | Centralised records reduce duplicates and outdated data. |
| Integrity and confidentiality | RBAC, encryption, and MFA protect data from unauthorised access and misuse. |
| Accountability | Full audit logs and consistent workflows provide demonstrable proof of compliance. |
Many organisations and government teams utilize dedicated software, such as Stakeholder consultation software, to manage their consultation information efficiently. This technology can support compliance, but it introduces third-party risk that must be managed during procurement:
Procurement checklist: The software provider must be compliant with the UK GDPR and have a data processing agreement (DPA) in place. Their security certifications should be verified.
Data Location: To avoid international data transfers that may render you non-compliant with the UK GDPR, verify that data is hosted within the UK or the European Economic Area (EEA). Data should always remain within the data hosting area. Some SRMs that use third-party integrations cannot guarantee this.
Security features: Assess features critical for protecting public data, such as encryption (at rest and in transit), multi-factor authentication (MFA), and role-based access controls (RBAC).
Jambo SRM software is compliant with UK GDPR, has all the necessary security certifications, hosts data within the EEA and has robust security features including encryption, MFA and RBAC.