Data protection

The GDPR came into effect on 25 May 2018. Changes include the following

New rights for data subjects

The new rights are:

• the right to be forgotten – in some cases an individual can ask for their personal data to be deleted
• changes to consent required from individuals
• where consent for the use of personal data is required it must in future be explicit, non-ambiguous and given freely and can be withdrawn
• shortened timeline for subject access requests

Data Protection Officer

The GDPR requires all public authorities to appoint a DPO. At Northampton this is David Taylor. Find out more about the DPO's role.

Privacy notices

All organisations that collect and process personal data must publish inform individual of how they manage that personal data by producing a privacy notice.

We have two layers of privacy notices.

• Corporate privacy statement (CPS)

Our Data Protection Officer will ensure we publish a Corporate Privacy Statement in compliance with GDPR Article 13.1.

• Departmental privacy notices (DPN)

Where departments process personal data, either because of the service they provide or the legislation they work under, they will publish further information about the specific circumstances and context in which the personal data are processed. (Recital 60 & A13.2)

Mandatory breach notification

In certain circumstances organisations will have to tell the Information Commissioner's Office about unauthorised disclosures of personal data as soon as they are discovered. If the disclosure has serious implications for any individuals, the data subject will have to be informed as well.

Privacy by design

Organisations must design data protection into all business processes, new systems and undertake Data Privacy Impact Assessments (DPIAs).

Related documents

• Our Corporate General Data Protection Policy
• Subject Access Request form