General Data Protection Regulations
Data protection legislation in the UK is changing as a result of the publication in 2016 of the EU General Data Protection Legislation (GDPR). This becomes enforceable from 25 May 2018. The GDPR were designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
The GDPR enhance some of the requirements of UK data protection legislation, as well as introducing new requirements. The GDPR are supported by new UK legislation - the Data Protection Act 2018. The GDPR applies to all organisations processing the personal data of data subjects residing in the EU, regardless of the company’s location, and will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. For Durham University this means that all data processing activities are covered, whether in relation to UK or its international activities.
Individual’s rights under the GDPR are increased, particularly regarding access, erasure and portability. Organisations are required to more clearly record and communicate what information will be captured, how it will be used and who it will be shared with. There are more stringent requirements on protection of the data and on breaches of data privacy.
The UK regulator, the Information Commissioner’s Office (ICO), has been developing and publishing guidance in support of the GDPR but, as at March 2018, has not addressed all aspects of the new legislation. It is incumbent upon organisations, however, to implement the requirements nonetheless. Penalties for non-compliance are substantially increased in comparison to the Data Protection Act 1998, from a maximum of £500,000 rising to up to 4% of annual global turnover or €20 Million (whichever is the greater), so there are significant financial penalties to not effectively implementing changes in line with the legislation.
Durham University has been working internally and with its supply chain to ensure that its policies, processes and systems are compliant with the requirements of the GDPR. In addition to the guidance published on our website, a number of internal resources are available to employees through the guidance pages and in the 'Resources' section below.
A new e-learning course is available via DUO. All employees are required to complete this. The 'Information Governance and Data Protection' course, which has a final assessment that must be passed, covers:
- Records and Information Management
- Data and the GDPR
- Information Security
- Freedom of Information
Guidance continues to be developed building on internal queries and feedback, as well as external guidance from the likes of the Information Commissioner's Office (ICO), to support University operations with developing and implementing the necessary controls. Internal guidance addresses the following areas of the GDPR:
- Data privacy by design
- Data protection breaches
- Data protection impact assessments (DPIA)
- Data sharing (including International Transfers)
- Direct marketing
- Individual rights
- Lawful bases
- Services to Children
The Information Governance Unit are working with various University stakeholders to produce appropriate guidance and templates to support the requirements around documenting our data processing activities. The Documentation page provides further advice and links to key documents, in addition to the specific topics listed within the navigation.
- GDPR Implementation Plan - IGU (last modified: 21 March 2018)