Data protection

We started our preparations in 2016. We have a formal project to manage the preparation for GDPR. The project reports to council Corporate Board and senior management.  We have used the expertise of our internal Information Management and Legal staff to advise and audit all our services.

We have:

• appointed the Information Manager as the statutory Data Protection Officer
• reviewed our key contracts with our suppliers and partners, implemented contract variations for GDPR compliance and technical data and security questions
• conducted a comprehensive audit of all our services to determine current processing and reviewed high-risk areas to see if any changes are needed to meet GDPR requirements
• determined the lawful basis for processing to meet GDPR requirements
• developed layered privacy notices: a new customer privacy notice plus service area and service-specific privacy notices to inform customers
• developed a programme of communications to staff to raise awareness with regular presentations, updates and new intranet material
• implemented,  supplementary training material for staff on GDPR and cybersecurity, in addition to our mandatory information compliance training
• reviewed and revised information policies and procedures for staff and customers.

We will continue the project during 2018 and into 2019 which will include:

• maintaining a ‘Record of Processing Activity’ for our services to meet GDPR requirements
• updating all data audits
• updating our privacy impact assessment procedures to change to data protection impact assessments, following new guidance from the ICO on 15 May 2018
• developing service-specific privacy notices where required
• ongoing checking of internal and hosted systems for GDPR compliance