What is the GDPR?

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018.

What information does the GDPR apply to?

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the key definitions section of our Guide to the GDPR.

Can you help me decide what to include in my privacy notice?

The GDPR sets out the information you should supply and when individuals should be informed.

The information you supply about the processing of personal data must be: 

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language, particularly if addressed to a child; and
  • free of charge.

There’s more information in our right to be informed section of the Guide to the GDPR.

Are we a public authority under GDPR?

The Data Protection Act (when passed) will define ‘public authority’ but it is likely that if you are a public authority as defined under the Freedom of Information Act 2000, or Freedom of Information (Scotland) Act 2002, you will be a public authority for the purposes of the GDPR.

I work for a small local council, do I need to appoint a data protection officer (DPO)?

Yes. Under the GDPR, you must appoint a DPO if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • Your core activities include large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • Your core activities include large scale processing of special categories of data or data relating to criminal convictions and offences.
  • There’s a section on DPOs and when they need to be appointed in our Guide to the GDPR.

Can organisations share a DPO?

You may appoint a single data protection officer to act for a group of public authorities or bodies, taking into account their organisational structure and size. There is more on appointing a DPO in our section on DPOs and when they need to be appointed in our Guide to the GDPR.

Can the DPO be an existing employee?

The person you appoint as a DPO can be an existing employee, provided the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interest.

What is a conflict of interest in relation to a DPO?

Conflict of interest means a conflict with possible other tasks and duties. This means the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. More information on this can be found at questions 9 and 10 of the Article 29 DPO FAQ's and in the Article 29 guidelines on DPO's

What are the legal implications for a DPO?

DPO’s are not personally responsible for non-compliance with the GDPR. The GDPR makes it clear that it is the controller or the processor who must demonstrate that processing is undertaken in compliance with the GDPR. Data protection compliance is the responsibility of the controller or processor.

What are the rules on security under the GDPR?

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. You can find more guidance in the security section of our Guide to the GDPR.

Can local councillors still communicate using their private email accounts and personal devices?

The ICO has produced guidance under the DPA that helps data controllers understand what they need to consider when permitting the use of personal devices to process personal data for which they are responsible. Our Bring Your Own Device Guidance Will be updated but much of the content remains relevant and therefore itis a good place to start.

Is there a toolkit I can use to prepare for GDPR?

Use our checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure. Once you have completed each self assessment checklist a short report will be created suggesting practical actions you can take and providing links to additional guidance you could read that will help you improve your data protection compliance.

What lawful bases for processing should I use?

The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences. You need to review your existing processing, identify the most appropriate lawful basis, and check that it applies. More information can be found in our lawful basis section of our Guide to GDPR.

Do small councils need to register under GDPR?

If you needed to register under the Data Protection Act 1998, then you will probably need to pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.

The new Regulations will come into force on 25 May 2018. This doesn’t mean that everyone has to pay the new fee on that date. Data controllers who have a current registration (or notification) under the 1998 Act, do not have to pay the new fee until that registration has expired.

You can find more detail in our Guide to the Data Protection Fee.

Will individual Councillors still need to pay a fee to the ICO?

If individual Councillors are acting as a representative of the residents of their ward (e.g. taking forward complaints made by their local residents) then they would be a data controller in their own right and would not be covered by the local authority’s registration. Therefore they would need to pay the new fee.

How will GDPR affect data sharing agreements?

If you have an existing data sharing agreement, and this agreement complies with the DPA, it is likely to remain valid under the GDPR. However, under GDPR a data protection impact assessment (DPIA) should be carried out for any new or revised data sharing agreements. DPIA guidance will be available in early 2018.

Also, the GDPR contains explicit provisions about documenting processing activities including maintaining records on data sharing. More information on the documentation requirements can be found in the documentation section of the Guide to GDPR