Agenda item

General Data Protection Regulation Preparation Update


Mrs Angela Woodhouse, Head of Policy, Communications and Governance introduced the report providing an update on the General Data Protection Regulation (GDPR) that would replace the Data Protection Act (DPA) 1998, with effect from 25 May 2018.


Mrs Woodhouse advised the Committee that the report outlined progress made on raising awareness and training, auditing information held by the Council, information sharing and the documentation the Council was required to have on processes.  A third of the total action plan had been completed.  The Information Commissioner’s Office had been very clear that organisations did not have to be fully compliant by 25 May 2018.  However, the Council had to be able to demonstrate that it had a clear plan and preparations in place for compliance.  A lot of work had been undertaken, but there was still a lot to be done going beyond 25 May 2018.


In response to questions, the Head of Policy, Communications and Governance/Policy and Information Manager explained that:


·  The GDPR Practitioner course had been provided by Act Now and details could be made available.  The Council was still awaiting an e-learning module for Councillors from the Local Government Association.  The module had already been delayed once, and was now expected by Easter.  As soon as the module was available on-line, a link would be sent to Members.  Earlier in the year, Officers had attended a conference which included a basic introduction to the GDPR.  A link to YouTube videos of speakers could be sent to Members to enable them to learn more about the GDPR.


·  In terms of risk management, it was a major concern that suppliers might not be able to demonstrate compliance with the GDPR.  The risk related to the lack of control and the possibility of having to make new arrangements in future.  There might be additional costs involved that could not have been planned for.  Discussions were taking place with suppliers and the ICT and Procurement Teams, but there were unknown elements at the moment.


·  The Information Commissioner’s Office had made it very clear that so long as the Council had a plan and could demonstrate that it was making preparations for the GDPR, taking account of the risks involved and planning appropriate mitigation, then there was leeway in being fully compliant by 25 May 2018.


·  Work had not started yet on shared service arrangements in the context of GDPR, but risks would start to reduce as discussions took place with MKS partners, and areas of concern were identified.


·  The Officers would be more than happy to provide advice and information to Parish Councils through KALC, in addition to information that was available from the Information Commissioner’s Office, having regard in particular to their responsibilities as providers of devolved services.

·  In terms of progress against the action plan, some actions might be delayed, such as the provision of guidance on the Council’s website and additional guidance and training for staff.  The record of processing activities would be completed in time and whilst some privacy notices might be delayed, overarching ones would be in place.


·  The penalty for data breaches would increase significantly from up to £500k now to up to 20m euros depending on the issue and the impact on the individual.


RESOLVED:  That the update on the Council’s preparation for the GDPR be noted.


Supporting documents: