London Data Privacy Bylaw - GDPR Compliance

Technology and Data England 3 Minutes Read ยท published February 02, 2026 Flag of England

London, England public bodies must follow the UK Data Protection Act 2018 and the UK GDPR when processing personal data; local councils implement these requirements through council privacy notices, internal policies, and designated Data Protection Officers to meet statutory duties and handle breaches, subject access requests, and enforcement actions.

Penalties & Enforcement

The Information Commissioner has statutory powers to investigate and impose penalties for GDPR and Data Protection Act breaches, including financial penalties and enforcement notices; for serious infringements fines can reach up to A4"not specified on the cited page" if figures are not available on the cited page.[1] The UK Data Protection Act 2018 provides the national legal framework that councils in England must follow and sets criminal and civil offence provisions where applicable.[2] Local council compliance is overseen internally by the council Data Protection Officer or Corporate Information Governance team and complaints about a council's handling of personal data can be made to the council first and to the Information Commissioner if unresolved.[3]

Report suspected serious breaches promptly to your council DPO and to the ICO where required.

Fines, escalation and non-monetary sanctions

  • Financial penalties: amounts depend on the infringement and statutory criteria; see the ICO guidance for applicable maxima and tiers.[1]
  • Escalation: ICO may issue warnings, reprimands, mandatory compliance orders, and impose higher fines for repeated or systemic breaches; specific escalation ranges are set out by the ICO and relevant legislation.[1]
  • Non-monetary sanctions: enforcement notices, data processing bans, required remedial steps, criminal prosecution for certain offences under the Data Protection Act 2018, and court or tribunal action.
  • Enforcer and complaints: primary regulator is the Information Commissioner; councils also maintain internal complaints routes and Data Protection Officers; contact details and complaint procedures are published by each council.[3]
  • Appeals and review: orders and decisions by the ICO may be subject to appeal to the relevant tribunal or courts; precise time limits for appeals are specified in the enforcement notice or decision and on regulator guidance or the statutory instrument where shown, otherwise not specified on the cited page.[1]
Councils must publish privacy notices and DPO contact details where they process personal data.

Common violations and typical outcomes

  • Unlawful disclosure of personal data: potential enforcement notice, remedial order, or fine depending on harm and culpability.
  • Poor retention or lack of records: required actions to improve records and possible monetary penalty for systemic failure.
  • Failure to respond to subject access requests: compliance orders or fines and corrective directions.

Applications & Forms

Councils commonly publish Subject Access Request procedures and templates and may provide online forms or email addresses to submit requests or complaints; where a specific council form is required or a fee applies this will be shown on the council page or the ICO guidance, otherwise the fee and form requirements are not specified on the cited page.[3]

Use the council DPO contact shown on the council privacy page to submit SARs or breach notifications.

FAQ

How do I report a data breach by a London council?
Contact the council's Data Protection Officer using the published contact details and follow the council complaint process; you may also notify the Information Commissioner if the issue is not resolved or is serious.[3]
Can I make a Subject Access Request to my council?
Yes, you may request your personal data from the council; councils publish SAR procedures and any specific submission method on their websites and the ICO provides guidance on your rights and the process.[1]
What penalties can a council face for GDPR breaches?
Enforcement can include compliance orders, criminal offences in some cases, and financial penalties as set out by the ICO and the Data Protection Act 2018; see regulator guidance and statutory texts for details.[1][2]

How-To

  1. Identify and document the incident or request with dates, systems affected, categories of personal data, and any individuals affected.
  2. Notify your council's Data Protection Officer or corporate information governance team using the published contact channel and provide your documented details.
  3. Preserve evidence: do not delete logs, emails, or records and keep a secure copy of relevant materials.
  4. Assess whether the breach is likely to result in a risk to individuals and follow the council's internal escalation and notification procedures.
  5. If the council response is unsatisfactory or the breach is serious, submit a complaint to the Information Commissioner with supporting documentation.
Keep a dated record of all communications when dealing with SARs and breach reports.

Key Takeaways

  • Councils in London must follow the UK GDPR and Data Protection Act 2018 and publish DPO contacts and privacy notices.
  • The ICO is the primary regulator with powers to issue orders and fines; local complaint routes are the first step.

Help and Support / Resources

  1. [1] Information Commissioners Office  Guide to data protection
  2. [2] Data Protection Act 2018  legislation.gov.uk
  3. [3] City of London Corporation  Data Protection

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data