To consider the action plan which will enable the Council to achieve compliance with the General Data Protection Regulation and to approve the establishment of a post of Business Administration Manager subject to a recommendation to Council that ongoing funding be included in the base budget for 2018/19 and future years.

1.      That the action plan, which would achieve compliance with the General Data Protection Legislation, attached to the report at Appendix 1, be NOTED.

2.      That, subject to (3) below, a Business Administration Manager’s post be established in accordance with Section 4 of the report.

3.      That it be RECOMMENDED TO COUNCIL that ongoing funding for the Business Administration Manager post be included in the base budget for 2018/19 and future years.

9.1             The report of the Chief Executive, circulated at Pages No. 41-54, summarised the impact on the Council of the new General Data Protection Regulation, which would come into force on 25 May 2018, and the associated risks of non-compliance. Members were asked to note the action plan, attached at Appendix 1 to the report; to approve the establishment of the post of Business Administration Manager; and to recommend to Council that the ongoing funding for that post be included in the base budget for 2018/19 and future years.

9.2             The Chief Executive explained that the General Data Protection Regulation would come into force across the European Union (EU) on 25 May 2018 and would replace existing data protection laws. The Council had been advised that this would be in place as long as the UK formally remained within the EU but the government had also indicated that the Regulation would remain in place after the UK’s exit from the EU. The new Regulation would increase the rights of individuals over their personal data and tighten the obligations of all organisations to comply with the new rules concerning the management of personal information. The new Regulations would significantly increase the data protection obligations on the Council and, although existing data protection procedures were in place, those required extensive review and revision in order to achieve compliance with the General Data Protection Regulation framework. The most significant addition was the new ‘accountability’ requirement whereby organisations would need to be able to demonstrate compliance with the General Data Protection Regulation principles by, for example, maintaining documentation on decisions about why personal information was being processed. Another important change was the vastly increased fines for those organisations that failed to comply or permitted data breaches; for serious breaches organisations could be fined up to €20 million and for less serious breaches, or for failing to keep records, the fine could be up to €10 million.

9.3             Members were advised that, to demonstrate compliance, the Council must implement technical and organisational measures including data protection policies, staff and Member training and internal data processing audits; maintain relevant documentation on processing activities; appoint a Data Protection Officer which was a new statutory role; implement measures that met the principles of data protection by design including data minimisation, use of artificial identifiers and transparency; and implement data protection privacy impact assessments. The requirements of the General Data Protection Regulation were extensive and complex and, as such, it was felt that a dedicated resource was needed to lead and coordinate the associated activities. As the cost of the proposed Business Administration Manager post was outside of the budget its funding needed to be a recommendation to Council.

9.4             During the discussion which ensued, a Member noted that the maximum annual cost of the new post would be £50,970 including on-costs and she questioned whether this could be achieved for any less. In response, the Chief Executive advised that the cost identified was the maximum cost for the grade, however the post had not yet been evaluated so could come down. The postholder would be responsible for managing protocols and ensuring all services across the Council complied with the new Regulations so, as could be seen from the draft job description circulated with the report, it was a significant and important role.

9.5             Accordingly, it was