Skip to content Skip to left sidebar Skip to footer

GDPR Risk Assessment


All personal data

Risk: Personal data falls into hands of a third party

Management of risk:

Identify where personal data might be stored – storage of personal data by the council may occur by:

  • email (contact from residents),
  • Village Hall booking enquiries and booking forms (by email, phone, notes taken by the Clerk and on Hallmaster),
  • notes taken at Parish Council Meetings, contact made with the Parish Council via the website or Facebook page.
  • recordings of parish council meetings
  • Paper files
  • Databases
  • Electronic files
  • laptops
  • website documents and forms
  • mobile phones

Avoid including any personal information in the minutes or other council documents that are in the public domain.  Instead of naming a person, say ‘a resident/member of the public unless necessary.

Action taken / completed:

  • Information audit completed. Retention Policy put together which sets out how long information is retained for.
  • The Parish Council and Clerk understands the implications of publishing personal data and takes every effort to avoid including personal information in the minutes or other council documents in the public domain.
  • In most instances, minute should not refer to a resident by name unless necessary. Where this is thought to be necessary, consent must be obtained and the consent tracker updated by the Clerk.

Sharing of data

Risk: Personal data falls into hands of a third party

Management of risk:

  • Identify if the council shares personal data with any other organisations, for example other local authorities? If yes, the council may need to set up a written agreement with the organisation to ensure that they protect the data once passed to them.
  • Ensure that no personal data is shared with other organisation unless with expressed consent.

Action taken:

The covid19 track and trace register states to users before they submit the form that data may be shared with relevant authorities for the purposes of health and safety obligations and that this data will be destroyed after a given period.


Hard copy data

Risk: Hard copy data falls into hands of a third party

Management of risk:

  • Decide how much of the personal data held is necessary. Destroy personal data which is no longer needed in line with the Retention of Documents policy.
  • Ensure that sensitive personal data is stored securely in a locked room or cabinet when not in use.
  • Clerk to schedule a periodic data review and destroy personal data which is no longer needed in line with the retention policy.

Electronic data

Risk: Theft or loss of a laptop, memory stick or hard drive containing personal data

Management of risk:

  • Ensure that all devices are password protected.
  • The Parish Council laptop is password protected. The Clerks work laptop is password protected. The backup hardisk in the village hall is locked in the electrical cupboard.
  • Make all councillors aware of the risk of theft or loss of devices and the need to take sensible measures to protect them from loss or theft. Cllrs are reminded to password protect their devices.
  • Carry out regular back-ups of council data.
  • Ensure safe disposal of IT equipment and printers at the end of their life
  • Access to OneDrive for back up of Parish Council documents is restricted to the Clerk and one Cllr appointed and authorised to support the Clerk with IT matters and help maintain data and information security.
  • Ensure all new IT equipment has all security measures installed before use

Email security

Risk: Unauthorised access to council emails

Management of Risk:

  • Ensure that email accounts are password protected and that the passwords are not shared or displayed publically
  • Set up separate parish council email addresses for employees and councillors (recommended)
  • Use blind copy (bcc) to send group emails to people outside the council
  • Use encryption for emails that contain personal information
  • Use cut and paste into a new email to remove the IP address from the header
  • Do not forward on emails from members of the public. If necessary copy and paste information into a new email with personal information removed.

General internet security

Risk: Unauthorised access to council computers and files

Management of Risk:

  • Ensure that all computers (including councillors) are password protected and that the passwords are not shared or displayed publically
  • Ensure that all computers (including councillors) have up-to-date anti-virus software, firewalls and file encryption is installed.
  • Ensure that the operating system on all computers is up-to-date and that updates are installed regularly
  • Password protect personal and sensitive information folders and databases. Ensure that shared drives do not provide unauthorised access to HR and other records containing personal information

Website security

Risk: Personal information or photographs of individuals published on the website

Management of Risk:

  • Ensure that you have the written consent of the individual (including parental consent if the subject is 17 or under)
  • Ensure access rights are regularly reviewed

Disposal of computers and printers

Risk: Data falls into the hands of a third party

Management of risk:

Wipe the hard drives from computers, laptops and printers or destroy them before disposing of the device.


Financial Risks

Risk: Financial loss following a data breach as a result of prosecution or fines

Management of risk:

  • Ensure that the council has liability cover which specifically covers prosecutions resulting from a data breach and put aside sufficient funds (up to 4% of income) should the council be fined for a data breach.

Action to be taken:

  • Review insurance cover at next renewal in March
  • Consider if the Council has sufficient funds to meet the requirements of the new regulations both for equipment and data security and consider budget headings for the future

General risks

Risk: Loss of third party data due to lack of understanding of the risks/need to protect it.

Management of risk:

  • Ensure that all staff and councillors have received adequate training and are aware of the risks.
  • Filming and recording at meetings: If a meeting is closed to discuss confidential information (for example salaries, or disciplinary matters), ensure that no phones or recording devices have been left in a room by a member of the public

Dates approved, next review: