General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a European Union regulation, relating to how personal data and information is managed. It came into effect on 25 May 2018, replacing the Data Protection Act (1998).

What information does the GDPR apply to?

GDPR applies to 'personal data', and this means data which allows people to be directly or indirectly identified, so this includes obvious data like name, contact details and identification numbers.  It includes less obvious data such as location data or online identifiers.  The Regulations also define sensitive personal data as "special categories of personal data" this includes genetic data, and biometric data where processed to uniquely identify an individual.

If you are interested in more detail on this see the Information Commissioners' Office key definitions page:

What does GDPR change in principle/overview?

The following principles relate to the step changes in approach which GDPR law sets out.

  • Transparency has always been a significant element of the law relating to how data protection and GDPR will strengthen this.  For example, there are increased rights for data subjects to be informed about how their data is held and processed.
  • Data subjects are given more control over the personal data held and processed by organisations.  
  • Accountability has been added as a new principle and requires organisations to actively demonstrate how they comply with the GDPR.

Organisations are encouraged to take an approach that promotes privacy and data protection compliance as an intrinsic and natural part of their approach to everyday activity.

What are the key practical changes GDPR makes?

  • The GDPR sets out that all processed data must have a lawful basis.  There are six lawful bases for processing and different activities within the University might be covered by a different basis. (More information on this can be found here:
    ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/).
  • Sometimes we process data on the lawful basis of consent, e.g. if individuals consent to be sent marketing material, or to take part in research projects.  Rights relating to consent are significantly strengthened as consent must to given by opting in (opting out does not constitute consent) and individuals have the right to withdraw consent at any time.
  • Individuals have the right to be informed about the data we hold, why we hold it and on what legal basis we are processing it.  This is usually communicated by a Privacy Notice.
  • The right for individuals to request access to their personal data, known as Subject Access Requests (SAR) remains, but now must be processed more quickly (it used to 40 working days and is will be 1 calendar month).
  • Data must be organised and processed in such a way that it allows for the rights of individuals to be maintained, those rights include the right to rectification, the right to be forgotten, the right to data portability and the right to object.
  • There are new rules for international transfers of personal data.  This relates to data moving outside the European Economic Area (EEA).
  • There is a strengthening of action when organisations discover they have breached the law.  Firstly, the Information Commissioner’s Office (ico), which is the regulator for this activity, must be notified within 72 hours of a data protection breach and secondly the maximum fine for a data breach has increased to £17 million or 4% of annual turnover.