Search site

What changes will the new Data Protection Act introduce for service areas?

This section gives an overview of the new rights being introduced and what these changes will mean for the council family.


The new Data Protection Act will introduce very hefty financial penalties for a breach of data protection.

The following are important changes being introduced that you need to be aware of (Appendix 1 shows a comparison table):

1. Breach notification

We will now have only 72 hours after a breach of personal data has been discovered to notify the data protection regulator.

Data subjects may also have to be notified if the breach is high risk.

(As part of our preparations to get ready for the change in data protection law - we are already complying with these new requirements and it is critical that you report any breach in data protection immediately.)

2. Fines

Higher fines are applied if rights of individuals have been breached.

These are substantial - up to €20 million or 4% of global annual turnover. So it is important to get it right first time.

3. Privacy by design

Explicit principles for minimising the collection of personal data will be introduced in the new Data Protection Act.

This is alongside strict rules for how we collect, store and record it. You can read more about this in sections 6 and 7 of this guide.

For certain customers we will also need to first analyse the risks to their privacy - with a Data Protection Impact Assessment - before we can process their personal data. (You can read more in section 5). This is a further development of privacy impact assessments which are currently best practice and are required by the council's Data Protection Policy for new or substantially different uses of personal data across the council.

New rights

1. Subject Access Requests (SARs)

Requests made by individuals for their own personal data will now require to be answered without undue delay and at the latest within one month.

2. Restricting processing

The new Data Protection Act will introduce the right to stop or restrict processing of personal information (in certain circumstances).

3. Right to erasure and to be forgotten

Rights for personal data to be removed, from the web, for instance, are included in the new Data Protection Act. Again, this is likely to have a greater impact on private sector businesses than on the public sector.

These are rules about your right as an individual to stay out of the public eye and to 'be forgotten'.