top of page

Pennies vs pounds - how councils comply with the UK GDPR


Look after the pennies and the pounds will look after themselves, as the saying goes.

In other words, look after the little problems and the big ones will stay away, or may not even occur at all.

In the world of local council data protection compliance, letting the 'pounds look after themselves' takes the form of keeping hefty fines from the Information Commissioner out of arm's reach.

The ICO has the power to levy fines against data controllers such as local councils. There is a standard maximum fine of £8.7m, overshadowed by the towering upper limit of £17.5m.

Such fines, in our metaphor, surely represent armies of pound coins, standing to attention in the distance.

The ripple effect insinuated by this saying has now turned into a figurative tsunami.

Councils who fail to ensure appropriate data protection compliance measures are in place, or who simply don't take data protection and information governance seriously, genuinely put themselves at risk of fines and other enforcement action.

So what are the GDPR 'pennies', in this circumstance?

The 'pennies' refer to the cost of complying with data protection, before things go wrong.

In other words, the direct cost of early compliance.

For local councils, data protection compliance may include:

  • Ensuring the council follows the seven data protection principles (Lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability) in all they do when it comes to processing personal data;

  • Have recorded their processing activities, and have clarity on the lawful bases the council is relying on to process personal data in different ways and through its services;

  • Ensuring they haven't forgotten that personal data can also take the form of photos and videos, as well as in written form (think council CCTV and council photography...);

  • Ensuring appropriate policies, documentation and notices are in place and are up to date;

  • Respecting the rights of data subjects, including the right to be informed about the collection and use of their personal data, the right to access their personal data and receive supplementary information, the right to have inaccurate personal data rectified, the right of erasure in certain circumstances, as well as other rights provided for in the legislation);

  • Responding to data protection requests in a timely manner (as well as, of course, FOI and EIR requests under their respective legislative frameworks);

  • Keeping personal data secure and ensuring appropriate technical and organisational measures are in place to maintain this;

  • Ensure staff and councillors receive appropriate training;

Complying with data protection (and Freedom of Information) legislation takes time - and will likely involve some limited financial investment - but this investment helps to protect the council against the risks associated with non compliance.

If your council would like to discuss options to achieve compliance, why not book a complimentary discovery call with our team of local council data protection experts?

In context, these compliance measures are the 'pennies'. After all, if councils look after them, and the pounds will look after themselves...


bottom of page