GDPR: what does it mean?

Tuesday, 20 February 2018

The General Data Protection Regulation (GDPR) is the new EU legal framework for data protection. It will apply to the UK from 25 May 2018 and will replace our current Data Protection Act.

 The GDPR strengthens the rules around the protection of personal data and gives people greater control over how organisations collect, use, share, store and retain their personal information.

The core principles of the current Data Protection Act 1998 remain unchanged. Under the new arrangements, we must continue to:

• Keep information secure
• Use it fairly and lawfully
• Keep only what we need (don’t keep more than is required)
• Only keep data for the time it serves a purpose 
• Keep it accurate and up to date
• Be clear about the purposes we use data for
• Ensure that data transferred outside the EU will be adequately protected

Nevertheless, the GDPR does introduce some new obligations. These include: 

Documenting the data we hold, the legal basis for having it, and who we share it with

A Data Inventory exercise is underway, coordinated by IMPS via Heads of School and Services. The IMPS and Legal Services teams are working to ensure we have the necessary information recorded and are clear on which legal basis under the GDPR we hold it.

Consent

More robust requirements for collecting and using people's data with clear consent will be introduced. Under the GDPR, there must be an 'affirmative act establishing a freely given, informed, and unambiguous indication' of the persons wishes, and we must be able to evidence this. Silence, inaction, pre-ticked boxes and ‘opt out’ approaches are unlikely to meet this standard. 

Consent is not the only basis on which we hold data. Much of our data usage will not be on a consent basis – for example, where we collect and use it to meet our obligations under staff or student contracts, or where we have statutory powers or duties to share information. 

Work is underway to identify and review University activities that involve consent-based data handling. If you have any queries or need advice, please contact imps@reading.ac.uk. 

Data subject rights

The GDPR introduces additional rights for individuals, and reduces the timeframe we have to respond to requests. 

If you receive a request from an individual wishing to access or erase their data, or object to how it is being used, please contact the Data Protection Officer at imps@reading.ac.uk as soon as possible.

Data breach reporting

The University will be obligated to report breaches of the GDPR to the UK data regulator in certain circumstances. 

Please read the Information Security Incident Reporting Policy and the guidelines on reporting incidents or concerns. The IMPS team are responsible for assessing the situation at hand, advising on action to be taken and notifying the regulator if required.

Privacy by design and default

The GDPR requires us to actively consider data protection and privacy in everything we do and demonstrate this. This includes the technical and organisational data protection measures we put in place from the very beginning of embarking on new projects, contractual arrangements, collaborative initiatives, or uses of external suppliers and IT solutions. IMPS, Procurement, IT, and Legal Services are already involved in work in this area. If you are undertaking new activities involving personal data that do not already involve the Procurement, Legal, IT or IMPS teams, please contact imps@reading.ac.uk for advice as early as possible.

Data Protection Officers

Under GDPR, all institutions must appoint a Data Protection Officer. This role will be taken on by the University’s existing IMPS Officer, who can be contacted at imps@reading@ac.uk.

What should I do next? 

There are a few things you can do now that will help make the transition into the new scheme even easier: 

• Always check you are emailing the correct person when discussing personal or sensitive information.  
• Complete our data protection and information security training modules. 
• Familiarise yourself with current University policies. 
• Dispose of data securely.
• Follow IT’s advice on protecting your equipment from malware and keeping your log-in details secure.

Where to find out more

IMPS has created a dedicated GDPR information page, which includes key information for University staff. The page will be updated with further information in due course. 

Additional information Is available on the Information Commissioners Office website. 

If you have any queries please contact imps@reading.ac.uk.