General Data Protection Regulation
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a new data protection law that applies in the UK and the rest of the EU from 25 May 2018 and replaces the Data Protection Act 1998 (DPA 1998). The law applies to organizations in all sectors, both public and private. Like the DPA 1998, it is regulated in the UK by the Information Commissioner’s Office (ICO). It applies in the UK despite and beyond Brexit. Individual EU Member States can introduce certain additional provisions to, and exemptions from, the GDPR. The UK Government has implemented these (plus other related measures, such as the regulatory powers of the ICO) by way of a new Data Protection Act 2018.
Is it similar to the Data Protection Act 1998?
Like the DPA 1998, the GDPR sets out rules and standards for an organization’s use of information relating to living identifiable individuals. It doesn’t apply to anonymous information or to information about the deceased. The GDPR’s rules and standards are based around the existing DPA 1998 concepts of data protection principles and individual rights.
The GDPR has been designed to harmonize and strengthen data protection law and practice across the EU. While allowing for an element of risk-based implementation, the GDPR is substantially more prescriptive than the DPA 1998 in describing how organizations should implement the principles and uphold the rights of individuals – and how they should demonstrate that they are doing so.
What are the new prescriptive requirements?
In short, there are changes to the following:
- The existing data protection principles have been reinforced and an accountability principle has been introduced.
- The legal bases under which organizations can use an individual’s personal data have been subtly changed, and the conditions under which an individual's consent can be valid are more stringent.
- Much more detailed information needs to be supplied to individuals about how their personal data is used (via what are usually termed 'privacy notices').
- Individuals can exercise their rights for free. The GDPR both boosts existing rights (e.g. the right to access the personal data or the right to have inaccurate data corrected) and introduces new ones (e.g. the right to be forgotten).
- organizations are required to promote a culture of ‘privacy by design and default’ through measures such as Data Protection Impact Assessments, security assessments, the maintenance of registers setting out how personal data is used, and mandatory terms in legal agreements with other organizations with whom data is shared.
- Certain types of personal data breach must be notified to the ICO within 72 hours, as well as to the affected individuals. The changes will have a wide-ranging impact on how all organizations, including the College, can hold and use information about living identifiable individuals.
What are the penalties if something goes wrong?
The maximum fine that the College could receive for a breach of the DPA 1998 is £500,000; under the GDPR this is increased to €20m, or 4% of annual turnover (whichever is higher). It is accordingly even more important to make a collective effort to ensure that we handle personal data securely, carefully and in line with what individuals have been told.
What is the College doing about GDPR?
The College has established a GDPR Data Protection Working Group, chaired by the College’s Data Protection Officer, to work on and oversee the College’s preparations.
How does the GDPR affect central College processes?
Many of the changes necessitated by the GDPR may be fulfilled by amending central processes. Some of these concern the core interactions with, and information supplied to, different categories of individual such as applicants, students, alumni and staff. Others relate to the overarching policies, procedures and records that are required to enable us to demonstrate our compliance with the new law.
How does the GDPR affect College departmental processes? What do I need to do?
Although the greatest impact is upon central processes, some changes need to be implemented at a departmental level to ensure that certain processes overseen by departments (e.g. Academic Administration, Library) are aligned to the new law.
In addition, the Data Protection - Overview page contains resources that have been aligned to GDPR standards; these will continue to be supplemented and refined.
Can I have a bit more detail on the background?
The following resources should assist.
- Text of the GDPR
- ICO’s Guide to the GDPR
- Government documents about, and draft text of, the Data Protection Bill
- Text of the Data Protection Act 2018 (as enacted on 23 May 2018)
Who can I contact with further questions?
Further questions should be directed to the College’s Data Protection Officer (firstname.lastname@example.org).
This webpage was last updated in June 2018. It is reviewed when necessary and at least annually. Any changes will be published here.