The UK General Data Protection Regulation

One of the biggest changes to UK data privacy law came into effect on Friday, 25 May 2018.

The UK General Data Protection Regulation (or GDPR for short) is a really positive step towards you having more control over how your data is used and how you're contacted. The changes will also help to better protect your personal data. We have updated our privacy notices to reflect these changes.

Here at Bradford Council, we are updating our application forms and you will be prompted to give consent before your data is processed unless a legal basis applies.

To make sure you're ready to make your choices, we've created a handy guide that will help explain the changes and what they mean for you.

Five things you need to know about the UK GDPR

1. It is the biggest change to UK data privacy law in 20 years

Thanks to technological advances the amount of personal data being generated is rapidly increasing – every time you shop online, use your favourite app or 'like' a photo on Facebook you generate data – which is why the law needs updating to better protect people. As part of the UK General Data Protection Regulation (GDPR) all companies have to review how they manage all personal data – from customer email addresses to employee details. 

2. It will give you more control over your personal data

The UK GDPR is all about giving you more control on how your personal data is used. You'll have greater visibility and control over the personal data organisations hold about you – whether it's something as simple as your name, or as complex and sensitive as medical information. This means you can have greater confidence that information about you is accurate, up-to-date and properly managed.

The UK GDPR includes the following rights for individuals:

  • the right to be informed; You can see what will happen to your data by reading the Privacy Notice provided when we collect your information. The Privacy Notice will tell you why we are collecting your information, who we share it with and how long we will keep it for.
  • the right of access; You can ask what information is held about you via a Subject Access Request.
  • the right to rectification; If you think something is wrong with the data we hold, such as incorrect address you can request that it is corrected.
  • the right to erasure; You can withdraw consent at any time, unless there is a legal requirement for us to hold it.
  • the right to restrict processing; You can pause the handling of your data whilst a review of your issue takes place.
  • the right to data portability; You can request that data that we hold is easily transferred to another organisation.
  • the right to object; As before you may still use the Council's complaints procedure to complain should you wish to or if your complaint is about the handling of your data you may write to our Data Protection Officer at
  • the right not to be subject to automated decision-making; instead of having a machine make a decision about you, you may request that a person reviews your information in order to make a decision.

3. You can choose who contacts you, and how

Over the coming months you'll probably notice a lot of organisations asking for your consent so they can contact you about offers, products or services they think you'll find useful or interesting. To comply with the UK GDPR, these requests need to be really clear and straightforward. You get to choose who contacts you and how, for example by email, social media or phone.

4. You can also change your mind at any time

Even if you give an organisation permission to contact you, you can still change your mind in the future. Under the new rules, it should be easier to update your preferences on what you want to receive and how.

5. Your data will be better protected

GDPR also aims to make sure that all organisations holding personal data have the right processes in place to protect it.

Policy on handling Data Subject Requests

This policy formalises the Council procedures for:

  • confirming the identity of the data subject making a request, or the identity, and legal authority, of the third party making a request, on a data subject’s behalf
  • recording and tracking data subject requests and responses, including all correspondence and internal documents related to requests
  • identifying and locating relevant personal data
  • determining whether the UK GDPR or Data Protection Act 2018 exemption exists that permits or requires the Council to refuse to fulfil the request
  • handling data subject requests that involve several data subjects’ personal data
  • communicating with data subjects at reasonable intervals regarding the status of their request.

You can read the full Policy on Handling Data Subject Requests (PDF, 128 Kb).

Bradford Council Data Protection policy

All Council Employees managing and handling personal information need to understand their responsibilities in complying with the Data Protection Act 2018 (DPA) and UK General Data Protection Regulation (UK GDPR). The DPA and UK GDPR came into effect on 25 May 2018. These two Acts govern the collection, retention, processing and transmission of information held about living individuals along with the rights of those individuals granted in the legislation (Data Subject Rights see Section 4).

You can read the full Data Protection Policy (PDF, 221 Kb).

Other pages in this section