Report To Council

Titley & District Group Parish Council – 8th May 2018 

Clerk’s Report to Council

General Data Protection Regulations (GDPR)

Purpose of Report

This report is to update Council on the GDPR, which come into force on 25 May 2018 and replace the existing law – the Data Protection Act 1998.  Local Councils and Parish Meetings must comply and arrange for the control of personal data held and processed by the Council (the Data Controller).


The concepts and principles are very similar to the ’98 Act in that personal data must be processed lawfully, fairly and transparently; used only for a specific purpose; accurate and up to date; retained no longer than necessary and processed in a manner that ensures appropriate security and protection.

However, Councils will have to do some things for the first time and do other things differently.  Changes include new reporting requirements, increased fines and penalties, new rules on obtaining consent and writing privacy notices.  Other changes to note:

  • Councillors and staff must have ‘suitable training’
  • A Data Protection Officer will need to be appointed
  • The £10 charge for a data subject access request has been removed
  • Council must respond to a Subject Access Request (SAR) in a calendar month (was 40 days)
  • Councils will no longer register with the Information Commissioner’s Office (ICO) but will be required to pay an annual fee. The fee (yet to be set) will be based upon the size of the Council, the amount of data it processes and its annual turnover
  • Breaches must be notified to the ICO normally within 72 hours
  • Failure to comply with the new law places significant risk with fines of £17M or 4% of global turnover, whichever is the greater

Further detail is set out in the NALC ‘Toolkit’ circulated to Councillors and Councillors are recommended to read pages 1 to 25 this to ensure they are fully briefed.

Action Plan

The table below sets out the basic documentation that the Council needs to put in place to demonstrate that it is working towards compliance.  A detailed Action Plan should be maintained in order that progress can be monitored.

Complete Data Audit What data is held?

Where does is come from?

Where is it kept and who has access?
What does the Council do with it?

Who is it disclosed to?

Lawful basis?

Risks involved?

Documents and records should be retained no longer than necessary – see NALC Legal Topic Note 40.
Data Processing Log Description


Nature and purpose of processing

Type of data


Retention duration

Keep this log for new activities
Consent Forms Review/refresh existing

Send out new ones

Must be by ‘opt in’ method and appropriate

Record how and when consent is obtained
Privacy Notice and Privacy Policy Review/update existing

Must be transparent and clear in plain language, easy to access

Detailed privacy notices best on website
Data Protection Policy Complete or review existing

Include how the Council will respond to a breach

Date Subject Access Request Policy Complete or review Includes sample response letters


Not all recommended documentation may be completed by 25 May but the detailed Action Plan will show what plans the Council has in place to complete the remaining/ongoing steps.

Data Protection Officer

The legislation requires the appointment of a DPO who cannot be the Clerk as Data Processor, nor Councillors as Data Controller because there is a conflict of interest.  Clerks are also unlikely to be able to fulfil all that is required of a DPO including relevant training, qualifications and experience.  NALC are exploring options with the ICO on how best parish councils can fulfil the requirement to appoint a DPO.  Until this is resolved and in order to provide central support and guidance in respect of compliance with the GDPR, the Council should consider the appointment of the Clerk as Data Protection Compliance Officer.


  • The Council endorses the action plan set out above and notes the detail set out in the Toolkit
  • The Council adopts draft Policies referred to above
  • The Council addresses the appointment of a DPO once options are further clarified
  • The Clerk should be formally appointed Data Protection Compliance Officer.