General Data Protection Regulation (GDPR)
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation that will replace the current Data Protection Act 1998 and comes into force on 25th May 2018.GDPR has been in development since 2012 by the European Union Parliament and the Trust to harmonise and strengthen the rights of data subject across Europe, including when data is transferred to third party countries. It will repeal existing data protection laws in all those EU member states and will replace the UK’s Data Protection Act 1998. The Regulation enhances the rights of individuals whose personal data is processed and allows for new changes such as the right to be forgotten and the right to erasure.
How does this apply to Town & Parish Councils?
The GDPR applies to all local councils and also to a parish meeting without a separate parish council because a local council and a parish meeting are public authorities. The GDPR states that organisations, including local councils and parish meetings will need to appoint a Data Protection Officer (“DPO”) if they meet certain criteria. Local councils and parish meetings will not fall into the definition of a ‘public authority’ for the purposes of the Data Protection Act 2018. The rationale for this according to the debates in Parliament is that local councils and parish meetings will not normally be processing personal data ‘on a large scale’. However larger local councils who do process personal data on a large scale may still have to appoint a DPO.
GDPR Data Breaches
Organisations will have a duty to notify the Information Commissioners Office (ICO) within 72 hours of any breaches ie where they have inadvertently shared someone’s personal data with a third party. These breaches can result in severe financial penalties for an organisation.