Corporate Governance

The General Data Protection Regulation (GDPR)


The GDPR will apply in the UK from 25th May 2018. It will replace the current Data Protection Act (DPA) and will be a significant change to the law on data protection.

The UK’s decision to leave the EU will not affect the commencement of the GDPR.

The GDPR has many similarities to the DPA but seeks to ensure that the legislation governing data protection aligns with technological advancements that have occurred the DPA came into force in 1998.

The University will need to do some things differently in the way we collect, use and manage personal data and all staff will need to ensure compliance. Work is underway to ensure that the University is fully prepared for the changes.

What are the GDPR Principles?

The principles are similar to those in the DPA, with added detail at certain points. The GDPR does not have principles relating to individuals’ rights or overseas transfers of personal data - these are specifically addressed in separate articles. The principles in Article 5 of the GDPR requires that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

What new rights do people have under the GDPR?

The GDPR builds on existing rights under the DPA and creates some new rights for individuals. The rights are set out below; these are subject to a number of exceptions and will not always apply to all circumstances:

  1. The right to be informed – usually via Privacy notices.
  2. The right of access – known as data subject access requests
  3. The right to rectification of data
  4. The right to be forgotten
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object – includes profiling, direct marketing and processing for research
  8. Rights in relation to automated decision making and profiling.

How will the GDPR impact consent?

The GDPR has more specific requirements around consent than the DPA, these include:

  • Consent must be freely given, specific, informed and unambiguous.
  • Consent requires some form of clear affirmative action. Opt out or silence does not constitute consent.
  • Consent must be demonstrable. Some form of record must be kept of how and when consent was given.
  • Individuals have the right to withdraw consent at any time.

Where we already have obtained consent under the previous legislation we will not need to obtain fresh consent, as long as it meets the standard required by the GDPR. Therefore all current processing that uses consent should be reviewed to ensure it meets the GDPR requirements.

When are we allowed to process personal data?

The GDPR requires a legal basis for the processing of data, examples of this are shown below:

  • Consent of the data subject
  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary to protect the vital interests of a data subject or another person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

The GDPR expressly states that a public authority (which the University is) cannot claim that the data processing is in the 'legitimate interests' of the data controller (in this case, the University) as a legal basis for processing (Article 6f of the GDPR).  However, section 7(2) of the Data Protection Bill 2017 states that an organisation is "...only a 'public authority' ... when performing a task carried out in the public interest or in the exercise of official authority vested in it."  Therefore, it is possible that the University may be able to use the legal basis that it is within th University's legitimate interests to process personal data i situations which are not part of the core work of the University, that is, the direct education of students and employment of staff.  Please contact the Data Protection Officer on for further information. 

There are additional requirements when processing sensitive personal data.

What is Privacy by Design?

Privacy by Design is the concept of only processing the personal data that you need to in order to complete a task.  When you are setting up a new system, think about the work you need to do and the data you need for it.  For example, do you need to collect a full date of birth when all you need to know is the year in which an individual was born?  And even then, if you only actually need to know whether a person is a mature student, can you give a definition of what we consider a mature student to be and then ask the individual to tick a Yes / No box?  Whatever you decide, make sure you record your decision so that others can understand why we collect what we collect.

Another way of ensuring privacy by design is by carrying out a Privacy Impact Assessment to ensure all projects / new systems are built with appropriate security measures and data protection compliance. Carrying out an impact assessment at the start of a project ensures not only privacy by design, but also compliance with legislation and that systems are built with security from the outset and risks are managed. This often results in better and cheaper solutions as adding in good security at a later date can be costly.

The importance of dealing with data breaches under the GDPR

The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. A notifiable breach has to be reported to the ICO within a defined period of the University becoming aware of it as well as, when appropriate, notification to the data subject within the same tight timescale. Fines have increased and the maximum fines can be up to 20 million Euros or 4% global turnover for a breach, depending on a number of factors. Failure to report a breach can also result in fines. The University requires all incidents and breaches to be reported so we can assess and reduce the risks and where possible prevent incidents from becoming breaches.