GDPR Action Plan Update


The Policy and Information Manager introduced the report providing an update on progress against the General Data Protection Regulations (GDPR) action plan.  The report also provided the Committee with the Information Commissioner’s (ICO) report ‘GDPR – one year on’.


The ICO believed that regulations and work on awareness had seen an increased awareness for individuals and businesses regarding rights.  This had resulted in an increase in contact from individuals to businesses regarding their rights, and this was something the Council had also experienced.


The ICO set seven regulatory priorities for the year ahead, including cyber security, children’s privacy, political campaigns and surveillance – all of which were particularly relevant to the Council.


Paragraph 2.6 set out examples where notices of intent had been issued by the ICO, and a further case example, resulting in a £275k fine for a business, was circulated to the committee – this had been due to poor storage of documents and them being left open to damage.


The updated plan was set out in Appendix 1.  Whilst the work on a record of processing activities and on CCTV had been completed the work on the Council’s information asset register remained outstanding.  This was due to this piece of work being deprioritised with pressures and staffing changes within the team.


In response to questions from the Committee they were informed that the Information Management Group, which covered more than GDPR, met quarterly with the next meeting to be held on 28 January 2020.  The CCTV review had been completed and the Information Management Group were overseeing the recommendations from that review.


Protection of addresses was an important issue to avoid action from the ICO.  The action plan set out the action on information audits which had been completed; they included a thorough review of process and considered safeguarding actions for address data.  The Council did experience data breaches, as any organisation dealing with the same amount of data would, but staff took immediate action if a data breach occurred.  On occasions the Council had self-reported to the ICO, but no further action was taken.


The Committee requested clarification on the Data Protection assessment process for ICT projects.  Initially projects considered whether there were any data protection implications and if there were the project was required to complete a Data Protection Impact Assessment.  This would include considerations of security of data in the ICT environment for the project.  It was also noted that ICT project management was included in the draft 2020/21 audit plan.


There was recognition from the Committee on the importance of GDPR in political campaigning and they requested guidance on the issue.  National guidance was already in place and the Policy and Information Manager undertook to circulate this to Members.


Questions were asked about parishes retaining information, particularly on planning applications, and the Committee were informed that parishes needed to be clear on why they were holding it, to be secure in the storage of it and follow retention schedules and guidance.


RESOLVED:  That the progress of the implementation of the General Data Protection Regulations be noted.



