From 25 May 2018, Runnymede Council will need to demonstrate compliance with new General Data Protection Regulation (GDPR) requirements.
GDPR will replace the Data Protection Directive (1995). The new regulation is designed to enable individuals to better control their personal data. There will be NO transitional relief period to clean up legacy issues after 25 May 2018.
What does this mean in practice?
Our council's law and governance team is planning ahead for the operational changes and will continue to raise awareness of the new requirements.
This will include:
Planning and resourcing the appointment of a data protection officer whose job description is compliant with GDPR requirements
Revising information governance and related policies, addressing accountability, data protection officer reporting arrangements and statutory reporting requirements
Implementing our council's GDPR plan, which includes completing our data cleansing process, matching retention requirements to our Asset Register items, and other of measures to meet the requirements
The new requirements include key changes for Runnymede Council. From May 2018:
The council will have to show how it has complied with the new law
Penalties will be significantly increased for any breach of the regulation - not just data breaches
Security breach notifications will be a legal requirement - to be notified within 72 hours
Charges will be removed in most cases for provision of records to residents, staff or service users who request them. Our council will have to waive the current £10 fee by 25 May 2018
Runnymede Council will be required to keep records of data-processing activities
High-risk processing will require a data protection impact assessment
Data protection issues must be addressed in all information processes
There will be specific requirements for transparency and fair processing
There will be tighter rules where consent is the basis for processing
Retention and the 'right to be forgotten'; the council must inform subjects on collection of the timeframe data will be retained
Should the data subject subsequently wish to have their data removed, and the data is no longer required for the reasons it was collected, it must be erased.