top of page
Search

A quick guide to the AGAR Assertion 10 and UK GDPR Compliance

Updated: Aug 7

What Local Councils need to know (and do) before their next AGAR Submission


From the 2025/26 AGAR, parish and town councils will be required to complete a new Assertion 10 as part of its Annual Governance Statement. This new requirement goes beyond the previous expectations bundled together under Assertion 3.


The 2025 Practitioners' Guide, issued by the Smaller Authorities Proper Practices Panel (SAPPP) (formerly JPAG), sets out the requirements of Assertion 10.


Assertion 10 will not only require councils to use a council-owned domain for email and to operate an accessible website, it also explicitly requires parish and town councils to:


  • Comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018

  • Process personal data lawfully, fairly, and in line with UK GDPR principles

  • Recognise their roles as both a Data Controller and a Data Processor


But what does UK GDPR and Data Protection Act compliance mean in practice for parish and town councils?


This means councils should have a holistic understanding of all of the personal data they process, their purpose for processing it, where it's stored, who has access (and why), whether that data is ever shared, and when, ultimately, that data is deleted.


To credibly declare UK GDPR and Data Protection Act compliance, councils are also advised in the guidance to undertake activities such as data audits, staff training and policy reviews in line with sector guidance, where relevant.


To sign off Assertion 10 with confidence, your council should have already taken steps during the current financial year to ensure your compliance. For many councils, this may involve:


  • Carrying out council-wide audits of  ‘personal data’ your council processes, why you hold it, who has access, and your lawful basis for processing.


  • Risk assessing all of the personal data processed by the council and identifying mitigations to reduce risk to the council and data subjects.


  • Having appropriate data protection and information compliance policies in place that reflect how the council operates (not what it did in 2018)


  • Putting in place regular and relevant data protection training for council staff and councillors


There’s a lot of work to do, and yet for many councils, it can be a challenge to know where to start, or what to actually do to achieve compliance with the UK GDPR and Data Protection Act.


There’s a lot to take care of, which is why acting now can help avoid unnecessary stress, frustration, and headaches further down the line.


Discover how our Council Hive Data Protection Toolkit Service is supporting councils to get GDPR compliant, for the AGAR and well into the future.


 
 

Get really useful Communications, Engagement and Compliance Bulletins, direct to your inbox!

Get really useful communications, community engagement and compliance news and ideas, as well as information about the services we provide, directly to your inbox. All data will be securely processed as set out in our Privacy Policy.

Breakthrough Communications

BizSpace, Courtwick Lane, ​Littlehampton, BN17 7TL
Email:hello@breakthroughcomms.co.uk
​Phone: 01903 299000

©2025 Breakthrough Communications and Strategies Limited. All rights reserved.

Terms and Conditions | Privacy Notice

  • Facebook
  • X
  • LinkedIn
  • Instagram
  • TikTok
bottom of page