General Data Protection Regulations
The EU General Data Protection Regulation (GDPR) became enforceable in the UK from 25 May 2018. The GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy. The GDPR applies to all organisations processing the personal data of data subjects residing in the EU, regardless of the company’s location, and will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. For Durham University this means that all data processing activities are covered, whether in relation to UK or its international activities.
The GDPR introduced new requirements to UK data protection legislation, as well as enhancing the existing requirements. The GDPR are supported by new UK legislation - the Data Protection Act 2018 - which sets the UK requirements and obligations where the GDPR provides flexibility across the Member States to determine certain aspects.
Individual’s rights under the GDPR are increased, particularly regarding access, erasure and portability. Organisations are required to more clearly record and communicate what information will be captured, how it will be used and who it will be shared with. There are more stringent requirements on protection of the data and on breaches of data privacy.
The UK regulator, the Information Commissioner’s Office (ICO), has been developing and publishing guidance in support of the GDPR. It is incumbent upon organisations, however, to implement the requirements nonetheless. Penalties for non-compliance are substantially increased in comparison to the Data Protection Act 1998, from a maximum of £500,000 rising to up to 4% of annual global turnover or €20 Million (whichever is the greater), so there are significant financial penalties to not effectively implementing changes in line with the legislation.
Durham University has worked internally and with its supply chain to ensure that its policies, processes and systems are compliant with the requirements of the GDPR. In addition to the guidance published on our website, a number of internal resources are available to employees through the Data Protection Employee Guidance pages.
A new e-learning course is available via DUO. All employees are required to complete this. The 'Information Governance and Data Protection' course, which has a final assessment that must be passed, covers:
- Records and Information Management
- Data and the GDPR
- Information Security
- Freedom of Information
Guidance continues to be developed building on internal queries and feedback, as well as external guidance from the likes of the Information Commissioner's Office (ICO), to support University operations with developing and implementing the necessary controls. Internal guidance includes:
- Data privacy by design
- Data protection breaches
- Data protection impact assessments (DPIA)
- Data sharing (including International Transfers)
- Direct marketing
- Individual rights
- Lawful bases
- Services to Children
The Information Governance Unit are working with various University stakeholders to produce appropriate guidance and templates to support the requirements around documenting our data processing activities. The Documentation page provides further advice and links to key documents, in addition to the specific topics listed within the navigation.