The General Data Protection Regulation (GDPR)

Introduction

On 25 May 2018, the General Data Protection Regulation (GDPR) will be coming into force across the EU. The UK will introduce a new Data Protection Act (DPA) on or before this date, which will replace our current DPA and implement GDPR. The new regulation will introduce more stringent requirements for protection and accountability, and will give individuals more control over their personal data. In preparation for this, organisations, such as the University, that handle personal data will need to ensure that their systems and processes are compliant with the new regulation.

Summary of main changes under the GDPR

Privacy notices: more detailed privacy notices are required, which explain the purpose and legal basis behind processing activities

Accountability: data protection ‘by design and default’ should be the norm; stronger requirements to demonstrate compliance; Privacy Impact Assessments for all new processing activities

Reversible anonymisation (‘pseudonymisation’): encouraged as a data protection measure

Sensitive personal data: now includes genetic and biometric data

Consent: must be ‘opt-in’ (rather than being assumed from lack of action), freely given, informed and specific to named processing activities; data subjects will be able to withdraw consent at any time

Right to be forgotten: data subjects can request that their data is deleted in some circumstances

Right to data portability: data subjects can request their data in a portable format, in order to move it to another data controller

Subject Access Requests: individuals have a right to request access to their personal data held by organisation but this can no longer be charged for; response time limit reduced from 40 days to one month

International transfers: new rules for transfers outside the European Economic Area (EEA)

Breach notification: must notify the ICO within 72 hours of becoming aware of a data protection breach

Fines: maximum fine for breach increased from £500,000 to £17 million (€20 million) or 4% of annual turnover, whichever is greater.