27 Mar 2018
GDPR: Data Protection legislation is changing
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, replacing the Data Protection Act (1998). This web page outlines what the GDPR is, what the University is doing to prepare for its introduction and the steps you need to take.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union regulation relating to how personal data and information is managed.
What information does the GDPR apply to?
GDPR applies to 'personal data'. This is data that allows people to be directly or indirectly identified, including obvious data – such as names, contact details and identification numbers – and less obvious data such as location data or online identifiers. The Regulations also define sensitive personal data as ‘special categories of personal data’; this includes genetic and biometric data that is processed to uniquely identify an individual. More information is available on the Information Commissioner’s Office website
What does GDPR change in principle?
The following principles relate to the step changes in approach that GDPR law sets out.
- Transparency has always been a significant element of the law relating to data protection and GDPR will strengthen this. For example, there are increased rights for data subjects to be informed about how their data is held and processed.
- Data subjects are given more control over the personal data held and processed by organisations.
- Accountability has been added as a new principle and requires organisations to actively demonstrate how they comply with the GDPR.
- Organisations are encouraged to take an approach that promotes privacy and data protection compliance as an intrinsic and natural part of their approach to everyday activity.
What are the key practical changes GDPR makes?
- The GDPR sets out that all processed data must have a lawful basis. There are six lawful bases for processing and different activities within the University might be covered by a different basis. More information on this is available on the Information Commissioner’s Office website
- Sometimes we process data on the lawful basis of consent, eg if individuals consent to be sent marketing material or to take part in research projects. Rights relating to consent are significantly strengthened as consent must to given by opting in (opting out does not constitute consent) and individuals have the right to withdraw consent at any time.
- Individuals have the right to be informed about the data we hold, why we hold it and on what legal basis we are processing it. This is usually communicated by a Privacy Notice.
- The right for individuals to request access to their personal data, known as Subject Access Requests (SAR) remains, but now must be processed more quickly (it used to 40 working days and is will be 1 calendar month).
- Data must be organised and processed in such a way that it allows for the rights of individuals to be maintained, those rights include the right to rectification, the right to be forgotten, the right to data portability and the right to object.
- There are new rules for international transfers of personal data. This relates to data moving outside the European Economic Area (EEA).
- There is a strengthening of action when organisations discover they have breached the law. Firstly, the Information Commissioner’s Office (ICO), which is the regulator for this activity, must be notified within 72 hours of a data protection breach and secondly the maximum fine for a data breach has increased to £17 million or 4% of annual turnover.
The first steps towards preparation
What is the University doing about GDPR?
The University is already updating and refreshing its policies, procedures and guidance. A GDPR Working Group was established in May 2017 to support this work.
All Schools, Departments and Professional Services have been asked to identify a Data Coordinator to act on behalf of the Dean or Director in working towards GDPR compliance. This group has now met to share good practice, disseminate information and support local action planning.
A GDPR Compliance Manager has also been appointed to bring additional focus and resource to the Information Security team. Discussions with all departments and sections and a self-assessment of readiness are now informing the development of an overall action plan. A survey of software has also been undertaken.
Work is planned to review the University’s Retention Schedule and update the Privacy Notice. Central advice and guidance will be developed to inform both local practice and policy.
What do I need to do now?
Ensure you know who the Data Coordinator is for your department or service area and how to contact the University team dealing with GDPR (firstname.lastname@example.org)
If you have questions about how GDPR applies to your work raise those issues with the Information Security team and involve your Data Coordinator.
Ensure you have completed the University’s Information Security Training, accessed via LEARN
Ensure you know what the University’s process is in relation to Subject Access Requests (SAR). An updated version is being developed and will be available before 25 May 2018.
Ensure you know what to do if you believe there has been a data breach, as it is crucial you are able to act promptly. See the Academic Registry site for more information)
If you are thinking about doing something new with personal data, let the team dealing with Information Security know in good time, ideally in the early design stage, as an Impact Assessment may need to be carried out.
If you are taking part in activity which calls for individuals to give consent, ensure you are asking for a positive opt-in consent; that you make it clear that consent may be withdrawn and have processes which allow for withdrawal. There is significant guidance on consent on the Information Commissioner’s Office website.