The GDPR will give people more rights over their data. For example they have the right to have personal data deleted. So... would your council be able to find the data you have and who would be responsible for making sure data was deleted?

As part of your data audit at stage 2 you should be starting to create a register. This will then help you understand, refine your processes and therefore control the personal data you handle.

Individuals have the right to know what data you hold about them, why you are processing it and whether it will be given to any third party. They have the right to be given this information in a permanent form (hard copy). This is known as a subject access request (SAR). Your council will need to be able to identify a SAR, find all the relevant information / data and comply within one month of receipt of the request.

Read more about these rights from the ICO website.

Click here to move onto step 4

Click here to return to the main page