Decision details
Preparation for General Data Protection Regulation - GDPR
Decision status: Recommendations Approved
Is Key decision?: No
Is subject to call in?: No
Decisions:
On 25 May 2018, the General Data Protection Regulation (GDPR) will
come into full force. In addition, the Data Protection Bill will
effectively adopt GDPR directly into English law. The new Act will
therefore have three main themes:
• Extending the scope of data regulation
• Empowering individuals to have greater control over their own data
• Building privacy into products and services
• Imposing big sanctions for non-compliance
Members considered a report on progress at the January meeting and this
report provides a further update. The Council has continued to make
progress towards introducing GDPR compliant measures in time for the
new law coming into effect in three months’ time.
Members were asked to consider and adopt a raft of policies to ensure
compliance with new data protection legislation.
Mr Devonald, presented summary of the report to the members of the committee.
The Chair asked for a reminder to be sent to all Members to complete the GDPR on-line training.
A training session for all members to be held before the GDPR enforcement date of 25th May 2018.
Cllr Hubbard requested that the link to be re-sent to her.
Cllr Mrs McKinlay MOVED and Cllr Kerslake SECONDED the recommendations in the report and following a full discussion a vote was taken on a show of hands and it was RESOLVED UNANIMOUSLY.
1. That the attached updated compliance action plan (Appendix A), be approved to enable officers to roll out effective GDPR compliance across the Council by 25 May 2018.
2. That Members note and approve the following additional revised and updated policy documents:
• Data Protection Policy;
• Data Breach Policy;
• Consents Policy;
• Data Processing Impact Assessments Policy;
• Privacy Notices Policy; and
• Clear Desk Policy,
with delegated authority granted jointly to the Head of Legal
Services and the Senior Information Risk Officer to revise and
update once the details of the new Data Protection Act are known.
Reasons for Recommendation
Members have approved a compliance action plan and project plan. This
is a complex, council wide project so that some dates for
action/completion under the project plan are subject to change for
operational reasons. In addition, the law in terms of a new Data Protection
Act is not yet enacted and further changes to the detail may be possible.
This will not affect the overall projected completion date of 25 May 2018,
though some on-going work will be necessary.
Specific work flows will be developed following receipt of council-wide
responses to a questionnaire which has been sent out to all departments,
along with guidance notes and other documents. This is vital to capture all
information necessary to ensure compliance in all areas in due course,
both hard copy and electronic. The deadline for responses is 12th March.
After that we will analyse the information and categorise it. A programme
of review and deletion of outdated material will then follow. Specific GDPR
training will be put in place for both officers and Members to complete
over the coming months.
Report author: Phil Devonald
Publication date: 22/03/2018
Date of decision: 12/03/2018
Decided at meeting: 12/03/2018 - Policy, Projects and Resources Committee
Accompanying Documents:
- Preparation for General Data Protection Regulation – GDPR PDF 103 KB
- Appendix A - Updated GDPR Compliance Plan PDF 50 KB
- Appendix B - Data Protection Policy PDF 76 KB
- Appendix C - Data Breach Policy PDF 72 KB
- Appendix D - Information Security Policy PDF 59 KB
- Appendix E - Consents Policy PDF 72 KB
- Appendix F - Data Processing Impact Assessments Policy PDF 81 KB
- Appendix G - Privacy Notices Policy PDF 59 KB
- Appendix H - Clear Desk Policy PDF 42 KB