So what else do you need to look at?

If you have followed the above steps you are now well on your way to working towards compliance. It is important now to tackle any policies or procedures that need to be updated and then re-train your Council as necessary.

The following are also important aspects of GDPR which you may need to consider depending on the nature of your Council business.

Data Protection Impact Assessments (DPIA) - these have been mentioned in earlier steps but just also important to note that they are useful if you have very detailed processes and systems you may consider undertaking one of these. The checklist in the NALC Toolkit is the place to start see below in templates. It is also wise to use these when you embark on a new project which might involve personal data as part of your risk assessment.

Data Protection Officer - due to the recently published amendment to the Data Protection Bill which is proposed to remove the requirement for parish and town councils to appoint a DPO, there is no need to take any further action in this regard. However, you are still required to comply with GDPR.

Subject Access - See below in templates for a sample policy and letter templates to help you administer these in line with the new GDPR. This is where your register of activities comes into play and will allow you to deal with requests from individuals who have the right to know what you hold about them, how you use it and if they want it to be deleted.

Data Protection & Information Management Policy - click here to access a SALC Data Protection and Information Management Policy.

Cyber security - do you have any guidance or procedures relating to this? See below in templates to consider if this is necessary and if so add it to your action plan.

Data Breaches - make sure your Data Protection Policy includes how you deal with these. Ensure everyone in the Council understands and can action the procedure if necessary. See page 13 of the NALC Toolkit.

Contract management - as part of your initial audit you may have identified processes that involve others that are handling data on behalf of the Council, so you need to make sure they are doing this securely. You will need to ensure that your contracts are updated and include the GDPR required clauses and put in place an audit programme to supervise them. Consider how you select suppliers. There must be a written contract which imposes these obligations on processes. See page 13 of the NALC Toolkit. Check out The DPO Centre website and look at the addendum template that you could adapt to existing contracts.


Click here to move onto examples

Click here to return to the main page