The Data Protection Officer will submit a report providing an update on the progress being made towards meeting the requirements of the General Data Protection Regulations that become enforceable on the 25th May, 2018.
The Data Protection officer submitted a report providing an update of the progress made being towards meeting the requirements of the General Data Protection Regulations 2018 (GDPR) which came into force on the 25th May, 2018.
The report provided information on the background to the General Data Protection Regulations, the implications for the Council and the considerable work that had been undertaken by the Information Governance Team over the last 18 months in preparation particularly in relation to 7 broad work streams, process mapping and involvement of each individual Business Unit.
Reference was also made to:
· The implications in relation to the rights of individuals
· accountability and governance
· meetings held with communications to agree the approach and timelines required for publication of GDPR related information
· the development and amendment of Council policies
· training and awareness sessions organised
· the decision that the Data Protection Officer provide a service for Parish Councils in the Borough and for the South Yorkshire Pensions Authority. In addition, schools had been asked if they wished to consider purchasing the service from the Council
· it was proposed that an update report be submitted two or three times a year and that Internal Audit undertake regular audits as this would give the Committee greater assurance around compliance.
An updated Programme Plan was appended to the report.
It was reported that the GDPR required the Authority to appoint a person to fulfil the role of the Data Protection officer and this was to be undertaken by the Head of Internal Audit and Corporate Anti-Fraud. A further Appendix to the report provided details of the role and responsibilities of this post. Arrangements were also being made to ensure that appropriate support was available including formalising reporting to this Committee, to the Information management Board, SMT and Cabinet.
In the ensuing discussion particular reference was made to the following:
· work was progressing to ensure that all contracts entered into by the Council were GDPR compliant
· the significant work undertaken in relation to GDPR meant that the authority had reviewed how it handled and stored data
· it was anticipated that in the future there were likely to be challenges (in a similar manger to PPI) about the ways in which personal data was handled and the concern was that this would generate a significant amount of work
· there was a discussion of the ways in which the Authority could assure itself that all partners were complying with these regulations and of the role of the Data Controller in this
· it was not thought that work emanating from Parish Councils would be particularly onerous due to the type of information held by them
· reference was made to the qualifications required to be a DPO and to the fact that the Head of Internal Audit and Corporate Anti-Fraud had completed and passed those qualification requirements
· there was a discussion of the fines that could be levied in the event of a breach. The External Auditor commented on the implications for the Council in terms of contracts and also in relation to a third party breaching the requirements of GDPR. It was accepted, however, that the Authority had taken all necessary action to mitigate against the risks involved.
(i) that the report be received and that the progress made to date to prepare for the GDPR coming into force be noted;
(ii) that the assurance regarding the actions in place to address key areas in advance of the implementation date of 25th May, 2018 be noted; and
(iii) that further reports be submitted to future meetings providing information and assurances regarding the Authority’s compliance with the GDPR.