General Data Protection Regulation (GDPR) Statement

Date: 23 April 2018

Nottinghamshire County Council is fully committed to complying with the GDPR, which comes into effect on 25 May 2018.

The Council has initiated a detailed programme of work and has put in place an Information Governance Framework underpinned by a suite of policies that will comply with the new law. These comprise an Information Rights Policy, an Information Security Policy and an Information Compliance Policy which are supported by a number of standards, procedures and guidelines for staff, including a data breach procedure.

We are maintaining an Information Asset Register which records types of personal data the Council is processing and other supporting information.

Training for all staff is being provided and more detailed, role-specific training will be reviewed within the next three months and implemented thereafter.

We are reviewing our existing supplier contracts to ensure they comply with GDPR, where required. New contracts issued by the Council will now follow central government standards regarding GDPR compliance and procurement processes have been amended to take account of the new law, in line with recommendations of the Government’s Crown Commercial Service.

A new Data Protection Impact Assessment (DPIA) procedure to underpin “Privacy by Design (and Default)” is in place. DPIAs are being undertaken where relevant to ensure that appropriate technical and organisational security measures are put in place where high risk data processing is being undertaken.

We have new governance and performance measures to ensure that there is the appropriate visibility of progress in this business critical area and additional resources have been identified to support the work in the future.