Preparation for the General Data Protection Regulation

Meeting: 27/06/2017 - Council (Item 30)

30 Preparation for the General Data Protection Regulation pdf icon PDF 83 KB

At its meeting on 7 June 2017 the Executive Committee considered a report which sought to prepare the Council for the General Data Protection Legislation. The Committee RECOMMENDED TO COUNCIL that ongoing funding for the Business Administration Manager post be included in the base budget for 2018/19 and future years.

30.1           At its meeting on 7 June 2017, the Executive Committee had considered a report which detailed the preparations required for compliance with the General Data Protection Regulation that was due to be implemented on 25 May 2018. The Executive Committee had recommended to Council that ongoing funding for the Business Administration Manager post be included in the base budget for 2018/19 and future years.

30.2           The report which was considered by the Executive Committee had been circulated with the Agenda for the current meeting at Pages No. 17-30.

30.3           The recommendation was proposed by the Vice-Chair of the Executive Committee. He informed Members that the Regulation significantly increased the data protection obligations on the Council and its requirements were extensive and complex. He explained the risks associated with non-compliance, which included reputational and financial, the latter involving fines that could be as much as 20 million. Members were encouraged to support the recommendation to establish a Business Administration Manager’s post who would work with the Senior Information Risk Owner and the Data Controller and all teams to implement the requirements of the General Data Protection Regulation and maintain compliance post the implementation date of May 2018.

30.4           During the discussion which ensued, a Member questioned whether the Regulation was linked to the European Union (EU). In response, the Chief Executive explained that this was an EU Regulation but the United Kingdom (UK) government had already indicated that it intended to adopt the same standard, regardless of Britain’s exit from the EU, and this had been confirmed by the Information Commissioner’s Office. The Regulation had a serious impact on all organisations that stored, handled and received personal data and, as well as ensuring it was in compliance, the Council would need to help others to comply e.g. Parish Councils. Another Member questioned whether the Regulation would have an impact on individuals i.e. when Councillors kept personal data on their files. In response, the Chief Executive advised that if information was held by individuals the legislation did not apply; however, as Councillors, they may have the information for one of three reasons: in their role as a Councillor; for Ward purposes; or for personal information. When handling the Council’s data they were covered by the Council as a whole and therefore there was a duty to manage it properly. The Ward information was a Councillor’s own personal responsibility and he encouraged Members to register themselves with the Information Commissioner’s Office as a Ward Councillor. In order to ensure Councillors were kept fully appraised of the legislation as it developed, seminars would be provided in due course. The purpose of the recommendation today was to gain the financial support for the new post.

30.5           A Member noted that the job description for the new Business Administration Manager post indicated that there would be a large impact on the Council and she felt this would also apply to Parish and Town Councils; she questioned whether the new post would be available for

Meeting: 07/06/2017 - Executive (Item 9)

9 Preparation for the General Data Protection Regulation pdf icon PDF 82 KB

To consider the action plan which will enable the Council to achieve compliance with the General Data Protection Regulation and to approve the establishment of a post of Business Administration Manager subject to a recommendation to Council that ongoing funding be included in the base budget for 2018/19 and future years.

Subject To Call In:: 1. No - Item to note. 2. Yes - No action to be taken prior to the expiry of the call-in period. 3. No - Recommendation to Council.

1.      That the action plan, which would achieve compliance with the General Data Protection Legislation, attached to the report at Appendix 1, be NOTED.

2.      That, subject to (3) below, a Business Administration Manager’s post be established in accordance with Section 4 of the report.

3.      That it be RECOMMENDED TO COUNCIL that ongoing funding for the Business Administration Manager post be included in the base budget for 2018/19 and future years.


9.1             The report of the Chief Executive, circulated at Pages No. 41-54, summarised the impact on the Council of the new General Data Protection Regulation, which would come into force on 25 May 2018, and the associated risks of non-compliance. Members were asked to note the action plan, attached at Appendix 1 to the report; to approve the establishment of the post of Business Administration Manager; and to recommend to Council that the ongoing funding for that post be included in the base budget for 2018/19 and future years.

9.2             The Chief Executive explained that the General Data Protection Regulation would come into force across the European Union (EU) on 25 May 2018 and would replace existing data protection laws. The Council had been advised that this would be in place as long as the UK formally remained within the EU but the government had also indicated that the Regulation would remain in place after the UK’s exit from the EU. The new Regulation would increase the rights of individuals over their personal data and tighten the obligations of all organisations to comply with the new rules concerning the management of personal information. The new Regulations would significantly increase the data protection obligations on the Council and, although existing data protection procedures were in place, those required extensive review and revision in order to achieve compliance with the General Data Protection Regulation framework. The most significant addition was the new ‘accountability’ requirement whereby organisations would need to be able to demonstrate compliance with the General Data Protection Regulation principles by, for example, maintaining documentation on decisions about why personal information was being processed. Another important change was the vastly increased fines for those organisations that failed to comply or permitted data breaches; for serious breaches organisations could be fined up to 20 million and for less serious breaches, or for failing to keep records, the fine could be up to 10 million.

9.3             Members were advised that, to demonstrate compliance, the Council must implement technical and organisational measures including data protection policies, staff and Member training and internal data processing audits; maintain relevant documentation on processing activities; appoint a Data Protection Officer which was a new statutory role; implement measures that met the principles of data protection by design including data minimisation, use of artificial identifiers and transparency; and implement data protection privacy impact assessments. The requirements of the General Data Protection Regulation were extensive and complex and, as such, it was felt that a dedicated resource was needed to lead and coordinate the associated activities. As the cost of the proposed Business Administration Manager post was outside of the budget its funding needed to be a recommendation to Council.

9.4             During the discussion which ensued, a Member noted that the maximum annual cost of the new post would be £50,970 including on-costs and she questioned whether this could be achieved for any less. In response, the Chief Executive advised that the cost identified was the maximum cost

