The General Data Protection Regulation (GDPR)


On 25 May 2018, the General Data Protection Regulation (GDPR) came into force across the EU. The UK introduced a new Data Protection Act (DPA) on the same date, which replaced our old DPA and implemented GDPR. The new regulation introduced more stringent requirements for protection and accountability, and gave individuals more control over their personal data. All organisations, including the University, that handle personal data need to ensure that their systems and processes are compliant with the GDPR.

Summary of main changes under the GDPR

Privacy notices: more detailed privacy notices are required, which explain the purpose and legal basis behind processing activities

Accountability: data protection ‘by design and default’ should be the norm; stronger requirements to demonstrate compliance; Privacy Impact Assessments for all new processing activities

Reversible anonymisation (‘pseudonymisation’): encouraged as a data protection measure

Sensitive personal data: now includes genetic and biometric data

Consent: must be ‘opt-in’ (rather than being assumed from lack of action), freely given, informed and specific to named processing activities; data subjects will be able to withdraw consent at any time

Right to be forgotten: data subjects can request that their data is deleted in some circumstances

Right to data portability: data subjects can request their data in a portable format, in order to move it to another data controller

Subject Access Requests: individuals have a right to request access to their personal data held by organisation but this can no longer be charged for; response time limit reduced from 40 days to one month

International transfers: new rules for transfers outside the European Economic Area (EEA)

Breach notification: must notify the ICO within 72 hours of becoming aware of a data protection breach

Fines: maximum fine for breach increased from £500,000 to £17 million (€20 million) or 4% of annual turnover, whichever is greater.