General Data Protection Regulation


On 25 May 2018 the General Data Protection Regulation (GDPR) will come into effect in the European Union and therefore across the United Kingdom. The GDPR will replace the Data Protection Act of 1998 and will bring in extended rights for individuals in respect of access to any data held about them.  It will also place greater obligations on organisations which process personal data.

GDPR will apply to parish and town councils and there are significant, and therefore potentially time-consuming, enhancements to the control of, and means of access to, data.  Every parish or town council (and every parish meeting) will have to plan for how they will engage with GDPR.

Shown below are a suite of legal briefings issued by NALC, together with a copy of the PowerPoint presentation used by ERNLLCA during its recent briefings on the subject.  Also included is further advice and some sample forms prepared for use by member councils.

All public bodies must appoint a Data Protection Officer (DPO).  Whilst this person could be an employee, it is our legal departments advice that this is unlikely to be practical for the vast majority of parish and town councils.  The DPO will usually be a person or organisation who acts as a contractor to the council, in a similar fashion to that of the Internal Auditor.

The legal briefings below are likely to be updated so councils are advised to monitor this page.

Please note that the NALC toolkit below is a large document  


ERNLLCA GDPR presentation

Legal Briefing - Reform of legislation 

Legal Briefing - Summary of main provisions

Legal Briefing - Implications for parish meetings

Legal Briefing - Subject access requests

Legal Briefing - Data Protection Officer

Legal Briefing - Reporting personal data breaches 

NALC GDPR Toolkit 

NALC Parliamentary Briefing March 2018 


ERNLLCA will alert member councils whenever more information becomes available.  Councils may also wish to visit the Information Commissioner's website for further guidance.