3. Scope

We recognise that the correct and lawful treatment of Personal Data will maintain confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. The Council is exposed to potential fines of up to £17.5 million or 4% of total annual turnover, whichever is higher and depending on the breach, for failure to comply with the provisions of the UK GDPR.

All managers and elected members are responsible for ensuring that all Council Personnel comply with this Policy and need to implement appropriate practices, processes, controls and training to ensure such compliance.

The DPO is responsible for overseeing this Policy and, as applicable, developing Related Policies and Privacy Guidelines.

Please contact the DPO with any questions about the operation of this Policy or the UK GDPR, or if you have any concerns that this Policy is not being or has not been followed. In particular, you must always contact the DPO in the following circumstances:

(a)  If you are unsure of the lawful basis which you are relying on to process Personal Data (including the legitimate interests used by the Council) (see Section [5.1] below);

(b)  If you need to rely on Consent and/or need to capture Explicit Consent (see Section [5.2] below);

(c)  If you need to draft Privacy Notices or Fair Processing Notices and are unsure of the necessary content (see Section [5.3] below);

(d)  If you are unsure about the retention period for the Personal Data being Processed (see Section [9] below);

(e)  If you are unsure about what security or other measures you need to implement to protect Personal Data (see Section [10.1] below);

(f)  If there has been a Personal Data Breach (Section [10.2] below);

(g)  If you are unsure on what basis to transfer Personal Data outside the EEA (see Section [11] below);

(h)  If you need any assistance dealing with any rights invoked by a Data Subject (see Section [12]);

(i)  Whenever you are engaging in a significant new, or change in, Processing activity which is likely to require a DPIA (see Section [13.4] below) or plan to use Personal Data for purposes other than what it was collected for;

(j)  If you plan to undertake any activities involving Automated Processing including profiling or Automated Decision-Making (see Section [13.5] below);

(k)  If you need help complying with applicable law when carrying out direct marketing activities (see Section [13.6]below); or

(l)  If you need help with any contracts or other areas in relation to sharing Personal Data with third parties (including our vendors) (see Section [13.7] below).