The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. It is an EU directive but will be replaced by an almost identical Data Protection Bill after Brexit, so it is here to stay.

It is the biggest change in privacy legislation in over 20 years and replaces the Data Protection Directive 95/46/EC. It also overrides the Data Protection Act of 1998.

It applies to almost all organisations, especially public bodies, but not individuals. It effectively reverses the ownership of personal data, giving control back to the individual. It encourages only the minimum amount of data to be stored and for the minimum period and it obliges everyone in the data supply chain to comply.

Personal data includes any information relating to a person that can be used to directly or indirectly identify that person:

· Full name, email address, date of birth, IP address/website cookies

· Purchases, downloads, subscriptions and services used

· Questions and responses, promotions used, survey responses

· Financial history, banking/credit, payment transactions and donations

· Healthcare and education services used

· CCTV recordings, gender identity, location data, credit card data

· Judgements/sanctions, government services

· Any data capable of identifying an individual either on its own or when combined with other information

Internal account numbers, PINs and passwords, IMEIs, National Insurance number

Driving licence number, passport number

There is a special category of high-risk data –Prohibited without explicit consent or reasons

· Race/ethnic origin, political opinions, religious beliefs and union membership

· Biometric, genetic, health/medical data

· Sexual orientation, sex life

· Criminal offences, criminal convictions

The legislation affects both manual and automated processing (i.e. Databases, voice mail and completed forms

CCTV, cookies and website tracking). It includes both digital and paper records, but only applies to personal data able to identify a living subject, so excludes anonymous and encrypted information.

Applies to all 'data subjects' so affects the public sector, members of the public, the council’s employees and volunteers, Suppliers, Contractors.

The Council is creating a number of new Policy Documents to conform to the law. These can be viewed under the 'Policies' tab. A number of other useful documents relating to the GDPR are also available.

Notice Date: 25/05/2018