Issue - meetings

General Data Protection Regulation and Data Protection Act 2018

Meeting: 24/09/2018 - Audit and Standards Committee (Item 38)

38 General Data Protection Regulation and Data Protection Act 2018 pdf icon PDF 958 KB

Presentation by the Head of Business Support.


Liann Stibbs, Access Manager, Information Governance Unit, gave a presentation on the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) Act 2018.  This legislation replaced and amended the previous legislation and prepared the Council ready for the digital age.  The legislation came into force on 25 May 2018.  Fines had increased, for example, if personal data was lost the fine could be £17.5m.  Fines for public authorities would be lower than this, but higher than the previous maximum of £500,000. There was an onus that everyone knew what to do with data and if data was lost that people were aware of what to do to mitigate the risks.


People’s rights had also increased. They could request that their data was erased and that data processing was stopped.  If they disagreed with something a review could be undertaken.  There was much more onus on the individual to own their data.  Emails had reduced in number since May as people now had to opt in to receiving data in specific instances.  The Information Commissioner’s (IC) Office had issued guidance and assistance to ensure they could respond if a data breach occurred.


There was a dedicated unit at the Council that monitored emails outside working hours should a breach occur.  A review of what had happened was undertaken, and advice on the necessary steps to mitigate against any further breach. There was mandatory reporting to the IC’s office of 72 hours if a breach occurred.  There was a statutory position within the Council of a Data Protection Officer held by Tracy Thorley.  She would be aware of any serious breaches and was responsible for the Council’s Information Governance Strategy.


Transparency was key.  There were more requirements now for people to know what is happening to their data, and more control over what they consented should happen to their data. A Member questioned the relevance of some data that had been held in regard to him by a motoring organisation.  He was advised that he could ask why this data was being held through the IC’s office.


In terms of getting ready for the review, the government announced that they were going to write the GDPR but there was a lack of sufficient information and guidance for local authorities, so interpretation of the legislation had been left to those working in the information governance field supported by advice from the IC’s office.  The DPA had made changes in terms of adapting the GDPR for the UK, so reference was made to fraud, for example in respect of social services. Children’s consent is set at 13 years, in line with UK case law rather than the European standard.  The terms GDPR and DPA are currently used interchangeably, but after Brexit there would just be the DPA 2018. 


A gap analysis had been undertaken. The Authority generally complied with the legislation, but some key areas were identified.  Project leads had been identified beginning at a senior manager level to support the introduction  ...  view the full minutes text for item 38