Meet the requirements of data privacy regulations
A service must be in compliance with all applicable data privacy regulations including the General Data Protection Regulation and the Data Protection Act 2018
To meet this commitment as part of Digital and Data function’s strategic commitments your plans must show how you will comply with data protection regulations.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) came into force on 25 May 2018 through the Data Protection Act 2018. It’s about protecting citizens’ personal data when it is being processed or moved.
GDPR adopts privacy by design. There is a legal requirement in the GDPR for the protection of citizens’ data to be included from the start of the design process. You must comply with this new regulation and consider the ethical and appropriate use of data and technology. GDPR includes upfront penalties for not complying.
The Information Commissioner’s Office (ICO) has a guide on GDPR and we suggest using impact assessments in the section on accountability and governance as part of your project or programmes risk management process.
The questions from the data protection impact assessments are useful to consider.
If you’re going through the spend control process you must explain how you’re meeting this commitment if your spend request has been rated high on the Risk and Importance Framework or has an assurance rating of control.
Answering ‘no’ will not lead to an automatic rejection and you will need to explain why your spend cannot align to the commitment.