General Data Protection Regulation

How we comply with GDPR

The General Data Protection Regulation (GDPR) is a legal framework that came into force on 25 May 2018. It is supported by the UK Data Protection Act, which gives individuals rights over how their personal data is used.

This is the most significant update to data protection laws in over 20 years.

Key changes under GDPR

1. Increased fines - fines for breaching GDPR (the maximum being the greater of 4% of turnover or €20M) are significant compared with the previousfines regime (maximum of £500K).

2. Accountability and privacy by design – we must be able to demonstrate compliance with GDPR and implement data protection by design to reflect processing activities and risk.

3. Data protection officer (DPO) – this becomes a statutory role which requires us to provide the necessary support and resources to enable the DPO to carry out the role. 

4. Data processors – data processors can be held liable for non-compliance.

5. Extra territorial reach - GDPR’s reach extends to organisations outside the EU that process personal data of individuals in the EU. 

6. Consent as basis for processing - GDPR makes it much harder to rely on consent as a basis for processing personal data and we must check whether the basis upon which consent was obtained meets GDPR requirements. 

7. Privacy notices - these must be concise, intelligible and communicated by means likely to be noticed and read by data subjects. GDPR also requires further information to be added to privacy notices. 

8. Data subject rights - GDPR expands rights of data subjects to include, for example, the right to be forgotten, the right to portability and the right to prevent customer profiling. 

9. International transfers - the basis on which local authorities can transfer personal data outside the EEA has been restricted.

10. Data breaches - subject to limited exceptions, all data breaches must be notified to the Information Commissioners Office within 72 hours.

For more information visit the Information Commissioner’s Office (ICO).

What Is personal data?

Personal data is any information that can identify a person, such as:

  • a name
  • an email address
  • a date of birth
  • a national insurance number
  • a postal address

It also includes sensitive personal data such as:

  • ethnicity
  • religious beliefs
  • medical history

GDPR principles

Under GDPR, personal data must be:

  • processed lawfully, fairly and transparently (stored, used, destroyed)
  • collected for specific, legitimate purposes
  • adequate, relevant and limited to what is necessary
  • accurate and kept up to date
  • kept only as long as necessary
  • have appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction

We must also be able to demonstrate compliance with these principles.

Collecting and processing data

We only collect and process personal data when:

  • we have your consent, or
  • we have a legal or operational reason to do so

We only collect the data we need to deliver services or meet legal obligations.

Data Protection Impact Assessments (DPIAs)

A Data Protection Impact Assessment (DPIA) helps us identify and reduce risks when planning new projects that involve personal data.

To request a copy of a DPIA, email dataprotection@hartlepool.gov.uk or call 01429 523087.

You can view or download our Transition to Secondary School DPIA