An Open Letter to Clerks, Council
Officers and Local Councillors
Dear Local Council,
If there’s one thing we hear more than anything else from the clerks and officers we work with, it’s this: there simply isn’t enough time to do everything you have to do.
Time to stay on top of ever-changing information compliance rules. Time to figure out which of it really applies to parish and town councils. Time to learn or refresh key skills. And now, there’s something new to add to the list.
From the 2025/26 AGAR, parish and town councils must confirm their compliance with UK GDPR and the Data Protection Act.
Data protection compliance is not new. Parish and town councils, together with other data controllers, have had to comply with their legal and statutory data protection obligations for years. But, with the introduction of Assertion 10, information compliance has now come into clear focus.
This may mean refreshing outdated policies and providing relevant training for staff and councillors. This may mean mapping out ‘personal data’ processed by the council, including why you hold it, who has access, and your lawful basis for processing. It may also involve conducting data protection risk assessments and ensuring key documents and policies reflect how your council works today, and not how the council operated back in 2018 when GDPR first came into law.
That’s why we’ve created the Local Council Data Protection Compliance Kit service.
It’s designed to take the pressure off. Giving your council a clear, supported pathway to information compliance, with relevant tools and templates, step-by-step guidance, council-specific training, and year-round support through live clinics and events.
The benefits don’t stop there. Information compliance doesn’t stand still, and neither does your council. Your council is growing, taking on new services and assets. Breakthrough Communications is here to support your council on that journey.You don’t need more on your ‘to do’ list.
You need the right tools at the right time, so compliance doesn’t become a last-minute scramble. Join us today.
Here's What You Get With Our Toolkit
We understand that your council is already busy. That’s why our new toolkit service provides a supportive pathway to compliance, with guidance and clarity every step of the way.
​On-demand, Bite-sized Training Modules
Designed for clerks and lead council officers, our bespoke data protection training and guidance comprehensively covers the journey to achieve confident compliance.
Councillors and staff will be able to access regular data protection training at no extra cost. Our refresher training also includes certificates of completion, for all delegates.
Regular Refresher Training​
Regular ‘drop-in’ Clinics
Join us on Zoom to troubleshoot issues, get answers, and hear from colleagues across the country as we share and discover best practices.
We've done the hard work for you. Our team has created council-specific templates, resources, and checklists, designed save you time and effort meaning you don't have to start from scratch.
New Guidance, Templates, Resources and Checklists
To keep council your updates on latest data protection and information compliance matters that relates to parish and town councils.
Regular Best Practice Bulletins
Every council will have to declare its compliance with UK GDPR and the Data Protection Act
With summer looming, now is the time to act
Starting from the 2025/26 AGAR, every parish and town council will have to confirm that they are compliant with their legal obligations under UK GDPR and The Data Protection Act.
​
The new Annual Governance Statement (AGS) Assertion 10 requirements will focus on local council digital governance, UK GDPR compliance, and website/email standards.
Assertion 10 not only requires councils to use a council-owned email domain and to operate an accessible website in line with legal requirements, it also requires parish and town councils to:
-
Comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018
-
Process personal data lawfully, fairly, and in line with UK GDPR principles
-
Recognise their roles as both a Data Controller and a Data Processor
To credibly declare UK GDPR and Data Protection Act compliance, councils may also need to undertake activities such as data audits, staff training and policy reviews in line with sector guidance.
What Local Councils Need to Know
Why this matters:
To sign off Assertion 10 with confidence, your council should have already taken steps during the current financial year.
​
For many councils, this may involve:
-
Carrying out council-wide audits of ‘personal data’ your council processes, why you hold it, who has access, and your lawful basis for processing.
-
Risk assessing all of the personal data processed by the council and identifying mitigations to reduce risk to the council and data subjects.
-
Having appropriate data protection and information compliance policies in place that reflect how the council operates (not what it did in 2018)
-
Putting in place regular and relevant data protection training for council staff and councillors
There’s a lot of work to do, and yet for many councils, it can be a challenge to know where to start, or what to actually do to achieve compliance with the UK GDPR and Data Protection Act.
There’s a lot to take care of, which is why acting now can help avoid unnecessary stress, frustration, and headaches further down the line.​
What the Data Protection Compliance Toolkit delivers:
We offer on-demand, bitesize training modules tailored for clerks and council officers, providing comprehensive guidance on achieving data protection compliance within councils.
The programme includes brand-new, customisable templates and resources that can be adapted to meet your council’s specific needs. A UK GDPR and Data Protection Compliance Checklist is also provided to help track progress towards full compliance.
In addition, monthly Masterclasses deliver practical advice on key aspects of council data protection, such as the use of CCTV, handling photography and videography at events, managing councillors’ use of personal data, personal devices, email lists, subject access requests (SARs), and other UK GDPR-related processes, as well as FOI and EIR management. Regular Zoom drop-in clinics are also available to provide real-time troubleshooting and support.
RISK-FREE
GUARANTEE
This new service comes with a 60-day money-back guarantee. If your council complete all of the training modules and attends at least one live clinic or masterclass, but is still not satisfied, we’ll refund your council in full.
No hassle, no risk.
Take a Peek Inside the Local Council Data Protection Toolkit
Clerks and officers get immediate access to the Data Protection Toolkit, which includes guided learning from our experts, resources, templates, checklists and more.
The Data Protection Toolkit will support your council through every stage of its data protection compliance journey.
To achieve this, we have designed a unique, six-stage process to give your council peace of mind and confidence.
Stage One introduces the building blocks of data protection, giving you a thorough understanding of council information compliance essentials.
As you move onto Stage Two, our experts will guide you to map out all of the personal data your council processes, as well as documenting the purposes for which it is being processed.
Stage Three explores the ‘lawful basis’ your council has for each purpose you have identified. Your council will then move on to Stage Four, where we will guide you to risk assess personal data from a practical perspective.
Once you have an understanding of the data, risks and responsibilities, you can move on to Stage Five. You’ll be guided through creating essential policies and documentation your council needs.
Everything leads to Stage Six, where we’ll guide you through reviewing everything you have done, giving you confidence when you submit your AGAR. We’ll also keep your council future-proofed.
Data Protection Toolkit Service Frequently Asked Questions
Is data protection mandatory?Our toolkit service is an optional service for councils. However, the new Assertion 10 requirements are not optional, and neither are the legal and statutory data protection requirements that have been placed on councils for years.
The purpose of our Data Protection Toolkit service, therefore, is to guide and support councils on their compliance journey and to ease the stress.
We already have a privacy policy. Isn’t that enough?
Data protection policies and other information compliance documents, such as a Privacy Notice, must reflect current council practice, be actively followed, and regularly updated to align with the latest guidance, legislation and best practice. Out-of-date or ‘off-the-shelf’ policies may not reflect the way your council processes personal data.
What happens if we wait until next spring?
Compliance involves having a clear sense of where your council is now, where it needs to be, and how to bridge any gap. Compliance can, therefore, take time. We would therefore advise not delaying your compliance journey, regardless of whether or not you utilise our services.
We don’t think we process much in the way of personal data.
In the context of local councils, personal data can include a range of information such as staff records, councillor contact details, resident correspondence, planning documents, consultation and survey responses, live and recorded CCTV footage, photographs from council and community events, and details in allotment or burial registers - and more. This is not meant to be an exhaustive list.
Even seemingly routine documents, such as GDPR and FOI requests, complaint emails or youth club sign-up forms, often contain identifiable personal information.
How does the team at Breakthrough Communications help councils like ours?Breakthrough Communications is the only organisation that provides data protection and information compliance advice to the National Association of Local Councils (NALC), many County Associations, as well as directly to parish and town councils. Our team specialises exclusively in the parish and town council sector, combining expert knowledge of UK GDPR and FOI with a practical understanding of how councils operate, meaning that our guidance is always relevant, realistic and ready to use.
