Corporate Governance

Frequently Asked Questions for the General Data Protection Regulation (GDPR)

These FAQs have been produced in response to the information we believe it is helpful for staff and students to know, and in response to questions already asked. These FAQs will be added to as and when more information becomes available, or when staff ask more questions.

1. What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a new regulation from the European Union dealing with the processing of personal data and the free movement of that data. The GDPR repeals the directive on which the current data protection legislation is based (Directive 95/46/EC) and therefore will repeal the Data Protection Act 1998 itself. As an EU Regulation, this piece of legislation is implemented directly into UK Law.

2. When does it come into effect?

The Regulation comes into effect on 25 May 2018, but work has already started within the University to reflect the effects of the Regulation on the work we do now and that which we have planned for the future e.g. new software systems.

3. Will we still have this Regulation after the UK leaves the EU?

We will still keep this regulation once the UK leaves the EU for two reasons:

  • this Regulation comes into effect before we leave the EU so we need to implement it for the time we are in the EU, and
  • when the UK is no longer part of the EU it will be necessary for the UK to prove that our standards for processing personal data are at least as good as those throughout the EU, for the remaining countries to be able to transfer data to the UK. One way of proving the UK data processing standards is to retain the basis of the EU Regulation on which all other Member States are using to regulate data processing.

4. What is the Data Protection Bill and how does it differ from the GDPR?

The Data Protection Bill is a further piece of legislation that brings into effect any ‘derogations’ that the UK has from the GDPR. That is, there are several points within the GDPR where individual Member States can determine how the legislation will be implemented in their own country in a way which applies best to their own circumstances. These Member State specific issues will be brought into UK law through the Data Protection Bill, which will also include the detail of the Law Enforcement Directive. The Data Protection Bill is currently (November 2017) going through the House of Lords.

5. What are the main changes in the GDPR?

The main changes in the GDPR are:

  • that the legislation is now technology neutral, so it applies to personal data held in any format whether paper or electronic, held in files, on laptops, phones, cameras, video tapes, audio recordings, etc
  • the definition of Personal Data has changed to include location data and online identifiers
  • the definition of Sensitive Personal Data has been extended to include genetic and biometric data but only for the purpose of uniquely identifying a living individual
  • the term Sensitive Personal Data itself changes to Sensitive Category Data (SCD)
  • that data subject rights are extended and improved
  • the requirement to know and state – in fair processing notices – the lawful basis for all types of processing of personal and sensitive personal data, and for this to be made clear at all times
  • the introduction of compulsory data breach notification
  • increased fines for data, and notification, breaches
  • the requirement for transparency and accountability
  • increased responsibility of data processors for data processing.

6. How does it affect me?

Where our processing of personal data is already compliant with the Data Protection Act 1998 it should not take much to ensure our future processing under the GDPR is also compliant, so you shouldn’t be affected too much.

If you process any of the data in the extended definitions (in FAQ 5, you will need to make sure that this data is now treated appropriately. We need to know what personal data is being processed, where, why, who will see the data, how long we will process the data for and how we will delete it once it is no longer needed.

Work on this has already started and you may receive a request (if you haven’t already) from staff in the Information Governance team for information about the data you process. We also need to check the information we give to students and staff about our processing of their personal data, so you will need to check any fair processing notices or information sheets you might use to see if they provide the correct information.

7. What is a fair processing notice?

A ‘fair processing notice’ is the term given to the information that we need to provide to anyone whose personal data we process as part of our work. The University has two overarching statements – one for students and one for staff – which cover the main processing carried out by the University but if we collect data on a school/departmental level, we need to provide this data to the students at the time we collect their data. Examples of such processing will be the collection of data for research purposes, organising field trips etc.

The information should be provided in hard copy so that the individuals concerned have a copy of the information, but it may also be worth considering putting some of this information on school/department webpages if the processing is carried out on a regular basis.

8. What are the lawful bases for processing personal data?

Whenever processing personal data, we have to have a lawful basis for the processing. Under the GDPR these will be:

  • that the data subject has given their consent to this processing
  • that the processing is necessary for the performance of a contract involving the data subject
  • the processing is necessary for compliance, by the data controller, with a legal obligation
  • that the processing is necessary in order to protect the vital interests of the data subject or another living individual
  • that the processing is necessary for the performance of a task carried out in the public interest of the data controller
  • that the processing is necessary or the legitimate interests of the data controller.

9. How has the definition of “consent” changed?

The GDPR requires consent to be ‘specific, explicit, informed and freely given’. In order for the consent to be ‘specific’, the request for consent must be distinguishable from any other parts of the form.

Similarly, for the consent to be ‘explicit’ the individual must sign/agree to the request to provide the information separately from any other part of the form. For example, where a student agrees to be part of a research project, they agree/sign once to agree to be part of the research and then sign/agree a second time to the actual data processing that is involved. This consent must be retained for as long as the data to which it refers is held.

Having, and making available a fair processing notice (see FAQ 7) means that when a person consents to their data being processed, their consent is informed by the information provided in the fair processing notice.

The final element of consent, that it is ‘freely given’, may be the hardest to achieve. If there is any element of the processing of the personal data that cannot be started, or continue without the individual’s consent to it, then the consent cannot be freely given and it will be necessary to find another legal basis for the data processing.

10. What do I need to know about data breach notification?

Under the GDPR data breach notification is now compulsory whereas it was voluntary under the DPA 1998. The ICO will issue guidelines for when it is necessary to report a breach (similar to those in existence under the DPA, but the GDPR requires that the data controller shall report a data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

The University already has a data security breach policy at Annex B of the Data Protection Policy which will be updated to reflect the changes required by the GDPR.

11. How much are the new fines under the GDPR?

There will be two categories of fines that can be imposed under the GDPR:

  • Failure to comply with obligations set out in the legislation for a data controller or data processor as well as failing to comply with certification or monitoring body obligations will attract fines up to 2% of annual turnover or €10m whichever is the greatest.
  • Failure to comply with the data protection principles, failure to comply with the necessary conditions for consent, failure to comply with the rights of data subjects, non-compliance with an order of the ICO and having non-compliant overseas transfers, and the failure to carry out a privacy impact assessment, will attract fines up to 4% of annual turnover or €20m whichever is the greatest.

The Information Commissioner’s Office (ICO) has stated that these higher fines will be used only in extreme situations and that it prefers to educate and change practice, rather than to fine organisations.

12. What is a Privacy Impact Assessment (PIA)?

A Privacy Impact Assessment, also known as a Data Protection Impact Assessment, is a form of (risk) assessment that identifies whether the proposed processing of personal or sensitive personal data might have an adverse impact on the privacy of the individual(s) whose data is being processed and if so, the steps that can be taken to remove or minimise the risk to the individual.

13. When should we carry out a Privacy Impact Assessment (PIA)?

The GDPR requires that an Impact Assessment should be carried out whenever new technologies for processing are to be used, where automated processing is involved, where there is a high risk to privacy involved in the processing, where profiling takes place, and where large amounts of sensitive personal data is being processed.

14. I’ve heard the phrase ‘Privacy by Design’ – what does it mean?

‘Privacy by Design’ is another term for ‘Data Protection by Design’, and refers to the action of determining the minimum personal data required to carry out the necessary processing. By processing only the minimum personal data required, we are maintaining an individual’s privacy (protecting data).

15. What are the new “data subject rights”?

The GDPR builds on the data subject rights in the DPA, the full list of which are:

  • The right to be informed via Fair Processing Notices
  • The right of access – known as Subject Access Requests
  • The right to rectification of data
  • The right to be forgotten*
  • The right to restrict processing
  • The right to data portability*
  • The right to object to processing
  • Rights in relation to automated making and profiling

* new under the GDPR

The right of data portability is only available where the personal data is processed with the consent of the data subject, not where the personal data has been collected using any of the other legal basis for processing.

16. What is the difference between a data controller and a data processor?

A Data Controller is the body/organisation that determines the purposes and means of processing personal data.

A Data Processor is a third party who processes personal data on behalf of, and in line with instructions from, the Data Controller and for no reasons of its own.

The significance of this is the new responsibilities of a data processor under the GDPR (se FAQ 17 for more detail).

17. What are the contractual responsibilities of a data processor?

Under the GDPR a data processor must provide guarantees to implement measures to ensure compliance with the GDPR, including security for the data they process, ensuring staff are compliant with confidentiality requirements, and only employing sub-processors with the agreement of the data controller. The data processor must comply with any data breach notification requirements set out by the data controller. Any data breach fines can now be imposed on a data processor as well as a data controller.

This information must be included in any new contracts set up with, and brought to the attention of, data processors employed by the University.

18. Where can I get more information about the GDPR?

More information about the GDPR (and what it will mean for the University) can be found on the University Corporate Governance pages or from the Information Commissioner’s Office webpages, or from the Information Governance team on ext 3642 or by email at information-matters@port.ac.uk.