GDPR (General Data Protection Regulation)

The GDPR became enforceable from 25th May 2018.
It is intended to provide extra protection to individuals and their data.
It provides greater transparency over where personal data is saved and used.

The Information Commissioner’s Office

The ICO oversees the GDPR in the UK.

There are 6 legal bases for processing personal data (Consent, Legitimate Interest, Contract, Vital Interest, Legal Obligation, Public Interest). The full legal definitions of these can be seen on the ICO website. Data stored by London Building Control for building control applications will fall under Contractual obligations (which includes additional requirements by the CICAIR to keep records for 15 years).

LBC policy and implementation of GDPR

London Building Control has implemented a GDPR policy which includes staff training for GDPR for the management and secure storage of information.
LBC has also undertaken a Risk Management & Governance ‘GDPR Health Check’ carried out by the NCC Group. Nine domain areas were assessed : Governance, Awareness, Policies and Procedures, Data Subject Management, Third Parties, Risk Management, Security, Incident Management, and Compliance. Following this, a nominated ‘Information Security Officer’ has been appointed to develop policy and a ‘Data Protection Officer’ to implement it.

Retrieval of information: a process has been implemented which requires written verification by the requestor before any personal information is released, in accordance with the Data Protection Act and the GDPR.

Breach of GDPR: In the event of a serious breach, LBC will inform the ICO within 72 hours (providing the name and contact details of the Data Protection Officer, a description of the likely consequences of the breach and a description of the measures proposed to deal with it). Where there is a high risk to the rights of any individual both the ICO and the individual will be informed immediately.

Further information

Further information regarding London Building Control’s GDPR policy can be obtained by emailing stating your request for specific information and your association to a particular project.

Useful references

Information Commissioner’s Office (ICO):
Data Protection Network (DPN):