Protection Regulation (GDPR)
What is GDPR?
The General Data Protection Regulation (GDPR) is a
European Union regulation that will replace the current Data Protection Act
1998 and comes into force on 25th May 2018.GDPR has been in development since
2012 by the European Union Parliament and the Trust to harmonise and strengthen
the rights of data subject across Europe, including when data is transferred to
third party countries. It will repeal existing data protection laws in all
those EU member states and will replace the UK's Data Protection Act
1998. The Regulation enhances the rights of individuals whose personal
data is processed and allows for new changes such as the right to be forgotten
and the right to erasure.
How does this apply to Town & Parish Councils?
The GDPR applies to all local councils and also to
a parish meeting without a separate parish council because a local council and
a parish meeting are public authorities. The GDPR states that organisations,
including local councils and parish meetings will need to appoint a Data
Protection Officer (“DPO”) if they meet certain criteria. Local councils and
parish meetings will not fall into the definition of a ‘public authority’ for
the purposes of the Data Protection Act 2018. The rationale for this according
to the debates in Parliament is that local councils and parish meetings will
not normally be processing personal data ‘on a large scale’. However larger
local councils who do process personal data on a large scale may still have to
appoint a DPO.
GDPR Data Breaches
Organisations will have a duty to notify the
Information Commissioners Office (ICO) within 72 hours of any breaches ie where
they have inadvertently shared someone's personal data with a third party.
These breaches can result in severe financial penalties for an organisation.