The General Data Protection Regulation (GDPR) is a regulation from the European Union dealing with the processing of personal data and the free movement of that data. As an EU Regulation, it's now been implemented into UK Law, starting 25 May 2018.

Failure to comply with these regulations can result in very large financial penalties for organisations and individuals involved in the data processing. The new regulations will remain in effect when the UK leaves the EU.

The GDPR changes

  • The legislation is now technology neutral, so it applies to personal data held in any format whether paper or electronic, held in files, on laptops, phones, cameras, video tapes, audio recordings, and so on
  • The definition of Personal Data has changed to include location data and online identifiers
  • The definition of Sensitive Personal Data has been extended to include genetic and biometric data but only for the purpose of uniquely identifying a living individual
  • The term Sensitive Personal Data itself changes to Sensitive Category Data (SCD)
  • Data subject rights are now extended and improved
  • There is a new requirement to know and state – in fair processing notices – the lawful basis for all types of processing of personal and sensitive personal data, and for this to be made clear at all times
  • A compulsory data breach notification has been introduced
  • There are increased fines for data and notification breaches
  • A greater requirement for transparency and accountability
  • Those processing data now have greater responsibility for effective data processing

How the GDPR affects you

The GDPR shouldn't affect you very much. But you may notice, when your data is requested, you can get a clearer picture of how, where, why and for how long your personal data is being processed, who will see it, and how it will eventually be deleted. It's a good thing for individuals – whose data is now better protected than ever – and for organisations like us, as secure, high-quality data is vital to the work we do.

The lawful bases for processing personal data under the GDPR

Whenever processing personal data, we have to have a lawful basis for the processing. Under the GDPR these will be:

  • that the data subject has given their consent to this processing
  • that the processing is necessary for the performance of a contract involving the data subject
  • that the processing is necessary for compliance, by the data controller, with a legal obligation
  • that the processing is necessary to protect the vital interests of the data subject or another living individual
  • that the processing is necessary for the performance of a task carried out in the public interest of the data controller
  • that the processing is necessary or the legitimate interests of the data controller 

How the definition of 'consent' has changed

The GDPR requires consent to be ‘specific, explicit, informed and freely given’. For the consent to be ‘specific’, the request for consent must be distinguishable from any other parts of the form.

Similarly, for the consent to be ‘explicit’ the individual must sign/agree to the request to provide the information separately from any other part of the form. For example, where a student agrees to be part of a research project, they agree/sign once to agree to be part of the research and then sign/agree a second time to the actual data processing that's involved. This consent must be retained for as long as the data to which it refers is held.

The final element of consent – that it is ‘freely given’ – may be the hardest to achieve. If there's any element of the processing of the personal data that cannot be started, or continue without the individual’s consent to it, then the consent cannot be freely given and it will be necessary to find another legal basis for the data processing.

What ‘privacy by design’ means

‘Privacy by design’ is another term for ‘data protection by design’, and refers to the action of determining the minimum personal data required to carry out the necessary processing. By processing only the minimum personal data required, we're maintaining an individual’s privacy (protecting data).

What the new 'data subject rights' mean

The GDPR builds on the data subject rights in the Data Protection Act. These are:

  • the right to be informed via Fair Processing Notices
  • the right of access – known as Subject Access Requests
  • the right to rectification of data
  • the right to be forgotten (new under the GDPR)
  • the right to restrict processing
  • the right to data portability (new under the GDPR)
  • the right to object to processing
  • rights in relation to automated making and profiling

The right of data portability is only available where the personal data is processed with the consent of the data subject, not where the personal data has been collected using any of the other legal basis for processing.

More information about the GDPR

You can find more information about the GDPR:

Contact us
  • Information Governance
  • information-matters@port.ac.uk
  • 023 9284 3642