A number of wide-ranging changes will be introduced by the GDPR, which will have a direct effect on how the University processes data. The consequences of breaching the GDPR will be significant, with potential fines of up to 20 million euros; it is therefore crucial that all employees of the University are aware of their obligations under the Regulations.
The key changes under the GDPR can be categorised as follows:
1/ Transparency and accountability
The University will be required not just to comply with the GDPR but also to provide evidence to demonstrate our compliance. There will be an emphasis on being accountable and transparent about how data is collected, for what purpose and how it will be used.
2/ Record keeping
To support this drive for greater accountability and transparency, we must also keep more comprehensive records on our data processing activities. These records should include:
- The purpose of the processing;
- The categories of data subjects (i.e. whose data we are processing);
- The type of personal data that we are processing;
- Who this personal data will be shared with;
- The time limits that the data will be stored for;
- Any technical or organisational security measures that have been put in place to safeguard the data.
3/ Privacy by design
Under the GDPR, privacy and data protection must be considered at the outset of any project and in many cases, a Privacy Impact Assessment (PIA) must be carried out. The purpose of a PIA is to identify what data processing will be involved in the project and to assess, mitigate or minimise any privacy risks associated with this.
4/ The rights of employees
The rights currently enjoyed by employees under the Data Protection Act will continue and will be enhanced under the GDPR. These new rights will include:
- The right to be informed – the University must inform individuals of the data we collect and the purposes of processing it;
- The right of access – individuals have the right to access the information that we hold about them by making a SAR. This right will be enhanced under the GDPR;
- The right to be forgotten – in some circumstances an individual will have the right to request that their data be deleted when no longer needed;
- The right to data portability – individuals have the right to re-use their data for other purposes by requesting that it be transferred across departments or to another organisation. This may take place where an individual changes job and asks us to transfer their personal data to their new employer;
- The right to rectification – where the data held about an individual is inaccurate or incomplete, they can request that this is rectified.
5/ Subject Access Requests (SARs)
A SAR is a written request by an individual to access personal information that an organisation holds about them.
The time limit for responding to a SAR will be reduced from 40 days to one month under the GDPR. It will also no longer be possible to charge the £10 fee currently permitted under the Data Protection Act.
6/ Data breach notification
Strict notification requirements will be introduced under the GDPR for when organisations become aware of potential data breaches. After becoming aware of a potential data breach, organisations will have 72 hours in which to notify the Information Commissioner’s Officer. This requirement will exist where the data breach relates to personal data that is likely to result in a risk to the rights or freedoms of the data subject.
7/ Appointment of a Data Protection Officer
It will become a legal requirement for many organisations, including the University, to appoint a Data Protection Officer under the GDPR. The function of the Data Protection Officer will be to ensure data protection compliance across the organisation and to act as a point of contact for data subjects and data protection authorities.
For further information, visit the ICO’s website or contact the University’s Legal Services team by emailing firstname.lastname@example.org.