Show/Hide navigation
University of Reading

GDPR: Three things we need to know

Friday, 25 May 2018

GDPR

Starting today, data protection in the UK will be regulated under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. The new laws place obligations on the University that all staff must be aware of:

Data Subject Rights

Individuals have rights in respect of the personal data that the University holds. You must refer any requests made under these rights to the IMPS office straight away. A request can be made in writing or verbally. The IMPS office has 1 calendar month to respond to requests.

More information on Data Subject Rights.

It is important that you know how to recognise a data rights request, where to send it and who to call for advice.

Data Breach Reporting

The University is required to notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a breach of data protection that poses a risk to individuals. Where the breach poses a high risk, we also need to notify those affected.

Failure to do so can result in fines of up to 10 million Euros or 2% of global turnover. Failure to act quickly can also have a detrimental impact on the individuals affected.

The University Data Protection Officer is responsible for reporting breaches to the regulator.

We have an Information Security Incident Reporting Policy and procedures that must be followed in the event of a data breach. Notify the IMPS team of any suspected or confirmed breach of personal data as soon as you become aware of it.

To report a breach please complete the form on the IMPS webpages, or call us on 0118 378 8981 or 0118 378 4905. IMPS will provide advice on any steps to take and investigate the incident.

More information on Data Breach Reporting.

It is important that you know how to report a data breach, who to call for advice and are aware of the consequences of not reporting issues promptly.

Data Protection by Design

The GDPR requires us to think about data protection and privacy from the very start of any activity involving the collection or use of personal data. For example, when procuring a new piece of data hosting software, embarking on a new project, or when making a significant change to how we use personal data we already hold.

Data protection by design includes assessing the purposes for the data collection and use, the lawful basis we have for using it, the security measures that will protect it, the retention and deletion needs, and how it can be accessed. It also requires us to have measures in place to protect privacy from the offset, for example having settings within an App defaulted to the least privacy intrusive or identifying the minimum amount of personal data that is needed to achieve the purposes. For some higher risk activities, a Data Protection Impact Assessment will be a legal requirement.

If you are embarking on a new or changed use of personal data, you can find out if a DPIA is needed and what you will need to do here

More Information on Data Protection by Design.

 

If you have any questions, email imps@reading.ac.uk or call 0118 378 8981.