General Data Protection Regulation

The General Data Protection Regulation ("GDPR") will take effect in the UK from 25 May 2018.  It replaces the existing law on data protection (the Data Protection Act 1998) and gives individuals more rights and protection regarding how their personal data is used by councils.  Local councils and parish meetings must comply with its requirements, just like any other organisation. The GDPR applies to all local councils and also to a parish meeting without a separate parish council because a local council and a parish meeting are public authorities.  The GDPR requires councils and parish meetings to appoint a Data Protection Officer ("DPO").  This is confirmed by new data protection legislation currently being debated in parliament.  For the GDPR and the new data protection legislation, the definition of public authorities is the same as that used in the Freedom of Information Act 2000 (which includes local councils and a parish meeting constituted under s. 13 of the Local Government Act 1972). 

The Data Protection Act 1998 requires every data controller (eg organisation, sole trader) who is processing personal information to register with the ICO, unless they are exempt. Over half a million organisations are currently registered.