Top Ten Data Protection Pitfalls for Councils and How to Avoid Them

Parish and town councils process personal data on an almost a daily basis, sometimes without realising it.

The result? Councils can feel overwhelmed, and unsure if they are meeting their obligations. Fearful of making a mistake that could damage trust, attract complaints.

Our Head of Council Information Compliance has compiled his top ten most common pitfalls when it comes to data protection.

1. Forgetting to consider a lawful basis Every project or service involving personal data needs a lawful basis.

What does lawful basis mean? Lawful basis are the legal foundations that justify you processing data under UK GDPR.

Councils must choose the right one. Whether it’s public task, consent, contract, legal obligation, legitimate interest, or vital interests. The key is to build data protection into projects from the start, not as an afterthought.

2. Sharing passwords When multiple people share the same log-in details, or worse, use the same password across different services, councils create serious security risks. Using a password manager is the simplest way to protect both staff and residents’ information.

3. Using USB sticks I call them “keyring-sized data breaches.” USB sticks are easily lost or infected with malicious software. Councils should ban them outright and use more secure ways to transfer and store personal data.

4. Having the wrong privacy notice

A website’s privacy notice is not the same as a council-wide privacy notice. Councils must publish a clear, overarching notice explaining how they process personal data across all services. This isn’t optional, it’s a legal requirement.

5. Skipping a Legitimate Interest Assessment (LIA)

When councils rely on legitimate interest, such as with CCTV or event photography, they must complete an LIA. This balancing test weighs the council’s reasons for processing against residents’ rights and freedoms.

6. Thinking data protection only applies to digital records

Data protection doesn’t stop at the computer screen. Paper-based filing systems are covered too, as long as they form part of an organised filing system. Filing cabinets count just as much as cloud storage.

7. Not having a Bring Your Own Device (BYOD) policy

Councillors and staff often use personal devices for council business. Without a BYOD policy, this exposes councils to unnecessary risks. A clear policy shows the risks have been thought through and managed.

8. Oversharing information

The data minimisation principle says councils should share only the personal data necessary to achieve a task, no more, no less. Giving out too much information, even with good intentions, creates risks.

9. Misusing “GDPR” as an excuse

Too often, councils think GDPR means “we can’t do that.” In reality, GDPR is about managing risks, not blocking action. Data protection should support decision-making, not stifle it. The important thing is to weigh risks and mitigate them appropriately.

10. Forgetting ongoing responsibility

Data protection isn’t a one-off tick box. It’s an ongoing process of review, improvement, and awareness. Councils that take data protection seriously not only stay compliant but strengthen trust with their communities.

It’s easy for councils to feel daunted by data protection, but it doesn’t have to be this way.

By tackling these common pitfalls head-on, councils can stay compliant, avoid reputational and regulatory risks, and most importantly, give residents confidence that their personal data is in safe hands.

Book a call to discover how we can support your council on its data protection journey.