Numpties, numpties, numpties they are all numpties
The vast majority of data protection officers, who can be paid as much as £80 – 90,000 pound a year are putting their organisations at risk for failure to comply with GDPR.
So why do we say they are numpties? An example best demonstrates how our Council – Folkestone & Hythe District Council – get it wrong. But we add it is not just our Council. There are many other Data Protection Officers who are failing to properly implement the GDPR for their organisations as well.
You send an Freedom Of Information request or an Environmental Information Request to our Council, they must acknowledge your FoI/EiR.
This is how Folkestone & Hythe District Council acknowledge an FoI/EiR presently.
Thank you for your request dated 2X January 2019 This is being processed under the Freedom of Information Act 2000.
We will endeavour to supply the information you have requested promptly and within the requisite 20 working days. If we think that it will take longer, we will contact you.
Please ensure you leave the subject line in any correspondence sent to us in relation to this request to enable us to locate your file. The reference number for your file is shown above in the Subject Line.
Tel: 01303 XXXXXX
Mob: XXXXX XXX XXX
Folkestone & Hythe District Council, Civic Centre, Castle Hill Avenue,
Folkestone, Kent, CT20 2QY
This response is WRONG. It is not just the Shepwayvox Team that says this acknowledgement is wrong.
He says in his article:
Under Article 13 of GDPR, where data is obtained directly from the Data Subject (you), the following information must be provided at the time the data is obtained (by the Council).
So when you get that acknowledgement for your FoI/EiR from Folkestone & Hythe District Council, they must provide the following:
the identity and contact details of the Data Controller and where applicable any representative
the purposes of the processing for which the personal data are intended as well as the legal basis for processing (as per Article 6(1))
where the processing is based on legitimate interests (Article 6(1)(f)), the interests pursued by the Data Controller or third party;
the recipients or categories of recipients for the personal data (if any)
Eight and half months since the introduction of GDPR, and still our Council and many other organisations are getting this very simple issue wrong. It would not be hard to fix. We hope this will influence our Council to change their acknowledgement. We suspect this blogpost will not win us any friends in our Council.
The Shepwayvox Team
Not owned by Hedgefunds or Barons