What is the GDPR?
The General Data Protection Regulation (GDPR) is a new, Europe-wide law. The UK General Data Protection Regulation (UK GDPR) is part of the data protection landscape that includes the Data Protection Act 2018 (the DPA 2018). The GDPR sets out requirements for how organisations need to handle personal data.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. You can find more detail in the key definitions section of our Guide to the GDPR.
Can you help me decide what to include in my privacy notice?
The GDPR sets out the information you should supply and when individuals should be informed.
The information you supply about the processing of personal data must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
There’s more information in our right to be informed section of the Guide to the GDPR.
Are we a public authority under GDPR?
Section 7 of the DPA 2018 defines what is a public authority’ for the purposes of the UK GDPR.
It says that the following (and only the following) are ‘public authorities’:
- a public authority as defined by the Freedom of Information Act 2000,
- a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002, and
- an authority or body specified or described by the Secretary of State in regulations;
and they are only public authorities for UK GDPR purposes when they are performing a task carried out in the public interest or in the exercise of official authority vested in them.
However, section 7(3) of the DPA 2018 says that the following are not public authorities for the purposes of the UK GDPR:
- a parish council in England;
- a community council in Wales;
- a community council in Scotland;
- a parish meeting constituted under section 13 of the Local Government Act 1972;
- a community meeting constituted under section 27 of that Act;
- charter trustees constituted—
- under section 246 of that Act,
- under Part 1 of the Local Government and Public Involvement in Health Act 2007, or
- by the Charter Trustees Regulations 1996.
While you are not a public authority for UK GDPR purposes, this does not affect your status as a public authority under any other legislation.
Do we need to appoint a data protection officer (DPO)?
As you aren’t a public authority for the purposes of the UK GDPR then you don’t need to appoint a DPO. There are other conditions that require the appointment of a DPO but they are unlikely to apply in your circumstances. There’s more information on DPOs in our Guide to the UK GDPR.
Regardless of whether the UK GDPR obliges you to appoint a DPO, you are still subject to data protection legislation and you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the UK GDPR.
What are the rules on security under the GDPR?
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. You can find more guidance in the security section of our Guide to the GDPR.
Can local councillors still communicate using their private email accounts and personal devices?
The ICO has produced guidance under the DPA that helps data controllers understand what they need to consider when permitting the use of personal devices to process personal data for which they are responsible. ICO’s Bring Your Own Device Guidance will be updated but much of the content remains relevant and therefore itis a good place to start.
What lawful bases of processing should we use?
The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences. You need to review your existing processing, identify the most appropriate lawful basis, and check that it applies. More information can be found in our lawful basis section of our Guide to GDPR.
Do small councils need to register under GDPR?
If you needed to register under the Data Protection Act 1998, then you will probably need to pay a relevant fee, under the Data Protection (Charges and Information) Regulations 2018.
The new Regulations will come into force on 25 May 2018. This doesn’t mean that everyone has to pay the new fee on that date. Data controllers who have a current registration (or notification) under the 1998 Act, do not have to pay the new fee until that registration has expired.
You can find more detail in our Guide to the Data Protection Fee.
Will individual Councillors still need to pay a fee to the ICO?
On 1 April 2019, the rules around paying the data protection fee changed. Members of the House of Lords, elected representatives and prospective representatives are exempt from paying a fee, unless they process personal data for purposes other than the exercise of their functions as a Member of the House of Lords, an elected representative or as a prospective representative. For more information, read our guidance on the data protection fee.
I am an elected representative and have always paid my fee. The rules have changed, do I still have to pay?
It depends. On 1 April 2019, Lords, elected representatives and prospective representatives were exempted from paying the data protection fee. But if you still process personal data for purposes outside your role as a Lord or an elected, or prospective representative then the data protection fee applies. So, if you have your own business that processes personal data or if you use CCTV for business or crime prevention purposes in connection with that business, you may still have to pay the fee. You can get more information about paying the fee in our data protection fee guidance.
How will GDPR affect data sharing agreements?
If you have an existing data sharing agreement, and this agreement complied with the 1998 Act, it is likely to remain valid under the GDPR. However, under the GDPR a data protection impact assessment (DPIA) should be carried out for any new or revised data sharing agreements. More information can be found in the DPIA section of the Guide to the GDPR.
Also, the GDPR contains explicit provisions about documenting processing activities including maintaining records on data sharing. More information on the documentation requirements can be found in the documentation section of the Guide to GDPR.
Is there a toolkit we can use to help us comply with the GDPR?
Use our checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping people’s personal data secure. Once you have completed each self assessment checklist a short report will be created suggesting practical actions you can take and providing links to additional guidance you could read that will help you improve your data protection compliance.
Thank you for reading.