Data Protection Law is changing! Are you ready?

What is happening?

Data protection law governs the rights of individuals, and the responsibilities of organisations, relating to privacy. The current Data Protection Act 1998, on which the University’s data protection policy and procedures is based is being replaced, from 25 May 2018, with two new pieces of legislation: the General Data Protection Regulation (EU) 2016/679 (commonly referred to as “GDPR”), and a new General Data Protection Act 2018, which is currently going through the UK parliamentary approval process.
The changes in data protection law aim to give individuals more control over the information that organisations hold about them and to create a consistent approach to data protection across the EU.

What are the changes?

A lot of the existing data protection law and how it impacts on us and our work at the University is not changing. There are however some key changes that you need to know about:

  • Accountability: The GDPR requires data protection “by design and by default”. We need to:
    • maintain internal records of what personal data is being processed and retention schedules
    • prepare privacy impact assessments where necessary
    • have clear privacy notices in place to inform individuals about how and why their information is collected and used and the lawful basis under which we are using that personal data.
  • Fines: The University could be fined up to 4% of its global annual turnover or €20 million for certain breaches and up to 2%/€10 million for others. This is a significant increase from the current maximum amount of £500,000 that can be enforced in the UK.
  • Increased rights for individuals:
    • Subject access: Individuals will continue to have a right to request details of information held about them and the response will need to be provided within one month, which is reduced from the current timescale of 40 days. 
    • Right to deletion: Individuals will have a new right to request erasure of their personal data in certain situations.
    • Data Portability: Individuals will have a new right to be able to obtain and reuse their personal data for their own purposes across different services.
  • All breaches will need to be notified to the ICO within 72 hours and to affected individuals under certain circumstances. 
  • Data Sharing: Whenever we are sharing personal data with a third party, there must usually be a contract in place, which must cover the requirements of the GDPR.
  • International data transfers: Particular care needs to be taken if personal data is being transferred outside the EU as certain conditions must be complied with when doing so.

What is the University doing?

The University has established a working group to manage the implementation of GDPR following an agreed action plan. The group reports to the University’s Senior Management Team. Work has been carried out to assess the personal data processed by the University and what systems and processes may need to be changed as a result of this process.

Further guidance and information will be published over the next few weeks on these pages.

Each School and Service has nominated a Data Protection Champion to raise awareness of Data Protection and Information Security responsibilities and be the initial DP contact within their School/Service. Details of the Data Protection Champion for each School and Service will be published here soon.

What do I need to do?

There are things that you can do now to help to ensure that we are compliant.

One of the underlying principles of the legislation is that privacy of individuals’ information is designed into our everyday working practices by default. Set out below are some key rules for you to consider in the context of your day to day work at the University:

1. Keep personal data secure

• Don’t share your password
• Lock your computer/laptop/tablet whenever you leave it 
• Lock away your papers when you are away from your desk
• Don’t work with personal data on unencrypted devices
• Consider putting systems in place to ensure that only those that need to have access to personal data can access it

2. Only keep personal data that you need and don’t keep it for longer than needed

• Review your records to check whether you need to keep what you have. 
• Regularly delete emails that you don’t need to keep.
• Follow the University retention schedule 

Our Records Management pages contain further information and guidance to assist you.

3. Be aware when sharing personal data

  • Use approved University systems to access, use and store emails and documents. In particular:
    • Don’t use generic cloud storage, such as Dropbox
    • Don’t use personal email addresses to access/store work related information 

Further guidance about storing, accessing and sharing information securely is available on the University’s Information Security pages here.

  • If you are sharing personal data with a third party, think:
    • Why the information is being shared and whether the third party has a right to receive it – check your contracts
    • What data do they need to have? Can it be anonymised and serve the same purpose?
    • What is the most secure way to share the data?

4. Tell us if personal data is deleted, lost, stolen or shared by mistake

  • We can ensure that the correct action is taken if you report any incident using the published procedure
  • You must tell us as soon as you become aware of any issues

Where can I find more information?

The Information Commissioner’s Office website has a lot of useful information about the changes in date protection law, including a Guide to the GDPR and 12 Steps to Take Now


Visit this site regularly to check for updates; these will also be highlighted in Staff News and via your Data Protection Champion.