If you do not know what personal data you hold and where it came from you will need to organise an audit to find out. This means reviewing personal data held on staff and volunteers, people using Council facilities or services. You should also identify any contracts you have in place which might involve using data you supply to make sure they do this securely.

As you work through the list below document your findings - it will give you a better understanding of where there could be risks involving personal data. This will also help you produce a record of processing activities for the future.

  1. Start with using the questionnaire template and then, if it is helpful, create a to do list. We have also included a sample template below - it will help you set out what needs to be done, once identified, and who will take responsibility for this. Share some of these tasks around - it will aid the practical application of handling personal data.
  2. Include in your "to do list" actions such as increasing your understanding of "sensitive personal data" - click here to read more about this in a council context. What about computers and email accounts for example. Do you need to encrypt these or move to non-personal email accounts rather than sharing a partner's address for email relating to council business? Do you keep hard copy documents securely - do these go back many years? Minutes can be stored at the Suffolk Record Office for example. Data applies to both electronic and hard copy documents and include information councillors, clerks / RFO handle and hold.
  3. The next step is to understand if you have a lawful basis for collecting and using this personal data. Click here to read more about LAWFUL BASIS to increase your knowledge and apply it to the data you have identified you manage and use. You may consider a Data Privacy Impact Assessment (DPIA) might be more useful. These are mandatory in certain situations. See below for a template checklist These should be undertaken if you are considering new technologies, for example, such as CCTV or where you are processing high risk data.
  4. Finally, create a register of processing as an overall record. This is important for when individuals ask for detailed information about what you hold about them and how you use it. As you work through any necessary solutions identified in your to do list you can update the register with details of controls you have put in place.


You are now on the way to working towards compliance.

Click here for Step 3
Click here to return to the main GDPR page