Search site

Key Data Protection Changes from May 2018 - Appendix 1

Find out what the key changes in the new Data Protection act.

TopicExampleExisting Data Protection ActFrom 25 May 2018 - New Data Protection Act
Breach of data protection

This is where we have to notify our data protection regulator - the Information Commissioner - if we have lost any personal data.

For example - A council had misplaced a notebook containing personal details of customers. It was found and handed in to a local newspaper.

The notebook was recovered but not before the newspaper published a story about the incident.

  • Currently it is only best practice to report high risk breaches to the regulator
  • council policy is to formally assess breaches and report to the regulator in line with this best practice
  • we are not obliged to inform individuals affected by the branch 
  • we do presently notify serious breaches 
  • we will have 72 hours to report breaches to the regulator
  • all breaches must be reported unless there is a minimal risk to the rights and freedoms of those affected
  • we must inform individuals who are affected where there is a high risk to those individuals

(As part of our preparations to get ready for the change in laws - we are reviewing our incident reporting process)

Being fined for a data protection breach

We can receive a fine for breaching data protection laws - such as losing personal data.

For example -  another Scottish Local Authority was fined £150,000 in 2013 having lost a laptop containing the personal details of over 20,000 individuals

  • currently we can be fined up to £500,000
  • greater penalties are in place - up to €20 million or 4% of global annual turnover of the preceding year - whichever is greater.

(Having a major financial impact on key services and the resources required to deliver them)

Data Protection OfficerThis is a dedicated senior council officer who has a role to enforce how we collect and process personal data in line with data protection laws.
  • currently not a mandatory role
  • as a public authority this is a mandatory role and we will appoint a Data Protection Officer.
A subject access request

This is where an individual can contact us to see what information we hold about them.

For example - a citizen could ask to see all the information that as service such as Social Policy holds on them.

  • currently we have 40 calendar days to respond
  •  we can charge £10 fee
  •  we do not incur any fines for a late response
  • we must respond without undue delay and at the latest within one month
  •  we cannot charge a fee 
  •  for consistently late responses we could be fined up to €20 million or 4% of global annual turnover of the preceding year - whichever is greater.

(Having a major financial impact on key services and the resources required to deliver them)

Fair processing notices

A key principle of data protection law is that all personal data should be processed fairly and lawfully.

Fair processing includes telling individuals that we hold their information and what we will do with it.

For example - where we have a notice or a form on our website that explains how personal data is processed.

  • Fair processing notices are required to allow individuals to understand what their personal information is being used for
  • Individuals will need a lot more information to be supplied to them under the new regulation - so that they can better understand what information we hold on them and why
  • Fair processing notices will need to be easily accessible, clearly communicated and easily understood