[Skip to content]
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

General Data Protection Regulation (GDPR)

General Data Protection Regulation

The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, replacing the current Data Protection Act.  The new regulation, whilst not radically different from the existing law, does introduce a number of new elements and enhancements that we need to implement to ensure that we remain compliant

We’ll be updating these pages and adding a range of guidance over the coming months so please check back for further information.

If you have any questions applying the principles, please contact a member of the Compliance and Casework team.

Plus Icon Why is the law changing?
When the Data Protection Act was being developed over 20 years ago, many of the uses of personal data, and the platforms available, that we now take for granted either hadn’t even been thought of or weren’t as widely used as they are now.  The way in which the Act was introduced also meant that there was no consistency across European Union member states.  GDPR aims to tackle both of those issues.
Plus Icon How are we preparing for GDPR?
The GDPR Steering Group which is made up of representatives from across the University, is overseeing progress towards compliance across our Schools and Services.  We’ve completed detailed inventories of personal data, capturing what we hold and how we’re using it, and are in the process of auditing those registers to identify any issues and areas of risk that we need to address.  

Compliance with data protection law is not the sole responsibility of one department or senior individual.  All of us need to understand our obligations and be mindful of how we treat personal data.  To support this, every member of staff will be required to complete an updated online data protection training module which will be rolled out over the next few months.  In addition to this, some staff (approximately 600) will be required to attend a more in depth, face to face, training session.   Managers have identified those colleagues and Governance & Legal Services are contacting them with details of how to book a place at a session.
Plus Icon What will GDPR mean for the University?
GDPR applies to personal data that the University processes.  Just as is currently the case under the Data Protection Act, processing is any use of personal data throughout its life cycle, from collection, analysis, evaluation and storage, right through to destruction and how we deal with personal data that is no longer required.  

The main objectives of GDPR are (i) to make sure that we use other people’s personal information properly and (ii) to give individuals more control over how their personal data is used. Their rights will be enhanced, enabling them to restrict and object to processing and, if they wish, to be forgotten by organisations with whom they no longer want to be associated.  

We’ll still be able to collect and use personal data for our core purposes as a university, but we’ll have to be better at documenting how we comply with the law and make sure that our processes for recording data breaches and obtaining and recording consent from individuals are robust. We also need to be absolutely clear about why we’re holding someone’s personal data and what we’re doing with it.

GDPR is based on a set of principles, most of which are very similar to those under the current Data Protection Act. However, there are some significant differences, including:

• a new accountability principle which will mean that we must be able to show how we comply with the law; 
• more stringent requirements around obtaining and recording individuals’ consent for using their personal data (where we’re relying on consent to use that personal data); 
• strict timescales for reporting breaches to the Information Commissioner’s Office where a breach is a threat to the rights and freedoms of individuals;
• that we demonstrate that “data protection by design and default” is a core consideration when we’re planning and operating data processing systems and activities; 
• more severe penalties for non-compliance including fines of up to €20 million or 4% of an organisation’s global turnover.

The Information Commissioner’s Office (ICO) is the statutory authority for the UK on matters relating to data protection.  It has powers of investigation and enforcement, including the issuing of fines, and produces a range of guidance on best practice.  The ICO website is the most reliable source of information about the implementation of GDPR: www.ico.org.uk 
Plus Icon What about Brexit?
The UK will still be a member of the EU when GDPR comes into force on 25 May so we do need to adopt the Regulation.  Should we leave the EU in March 2019, we’ll be regarded as a third country, which means that we won’t automatically be considered by the EU to have “adequate” measures in relation to our data processing activities.  It’s in our interests, then, to maintain the high standards set by GDPR to try and minimise any disruption to sharing personal data with EU member states post-Brexit
Plus Icon How does GDPR differ from the Data Protection Act?

The principles that form the basis for processing personal data are very similar under GDPR to those that we’re familiar with under the current Data Protection Act.  The table below sets out how they differ:


  Data Protection Act Principles  General Data Protection Regulation principles 
1. Lawfulness   Personal data shall be processed fairly and lawfully and according to conditions  Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
 2. Purpose  Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
 3.Data minimisation  Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed  Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
 4. Accuracy  Personal data shall be accurate and, where necessary, kept up to date  Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
 5.Storage  Personal data are processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes  Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
 6. Access  Personal data shall be processed in accordance with the rights of data subjects No equivalent principle. Access rights are addressed separately under GDPR (Chapter III)
7. Security  Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
 8.Overseas transfer  Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data No equivalent principle under GDPR. Overseas transfers of personal data are addressed separately in Chapter IV
 9.Accountability  No equivalent principle under DPA  Controller shall be responsible for, and be able to demonstrate, compliance with the principles

Back to Top Button
Back to Top Button