General Data Protection Regulation

From 25 May 2018, Runnymede Council will need to demonstrate compliance with new General Data Protection Regulation (GDPR) requirements.

GDPR will replace the Data Protection Directive (1995). The new regulation is designed to enable individuals to better control their personal data. There will be NO transitional relief period to clean up legacy issues after 25 May 2018.

What does this mean in practice?

Our council's law and governance team is planning ahead for the operational changes and will continue to raise awareness of the new requirements.

This will include:

  • Planning and resourcing the appointment of a data protection officer whose job description is compliant with GDPR requirements

  • Revising information governance and related policies, addressing accountability, data protection officer reporting arrangements and statutory reporting requirements

Implementing our council's GDPR plan, which includes completing our data cleansing process, matching retention requirements to our Asset Register items, and other of measures to meet the requirements

Key changes

The new requirements include key changes for Runnymede Council. From May 2018:

  • The council will have to show how it has complied with the new law

  • Penalties will be significantly increased for any breach of the regulation - not just data breaches

  • Security breach notifications will be a legal requirement - to be notified within 72 hours

  • Charges will be removed in most cases for provision of records to residents, staff or service users who request them. Our council will have to waive the current £10 fee by 25 May 2018

  • Runnymede Council will be required to keep records of data-processing activities

  • High-risk processing will require a data protection impact assessment

  • Data protection issues must be addressed in all information processes

  • There will be specific requirements for transparency and fair processing 

  • There will be tighter rules where consent is the basis for processing

  • Retention and the 'right to be forgotten'; the council must inform subjects on collection of the timeframe data will be retained

  • Should the data subject subsequently wish to have their data removed, and the data is no longer required for the reasons it was collected, it must be erased.