The General Data Protection Regulation (GDPR) is a new EU legislation relating to data protection, which applies from 25th May 2018. It replaces the Data Protection Act 1998 (DPA) and introduce greater protections for how personal data is used and stored. Although it is a European law, GDPR will be transferred to the UK statute books upon the UK's exit from the European Union and thus will remain in force.
Compliance is crucial due to the impacts personal data processing can have upon people's lives. GDPR revises and enhances the requirements on organisations to consider data protection and accountability, providing individuals new rights over how their data is used. You can find out more about how we use your data and your rights here.
The University of Nottingham needs to ensure its systems and processes are compliant with the new regulations and meet the inherent privacy by design and accountability principle concepts. Since the financial penalties and reputational damage from compliance breaches are greater than under DPA, it is essential the University's processes are scrutinised, recorded and, where necessary, amended.
What is the University doing?
The University is required to hold a central record of all personal data processing activities, along with appointing a Data Protection Officer (DPO), Mr Simon Gill, who has obligations to scrutinise legislative and process compliance. We anticipate additional benefits from achieving compliance to include: streamlining information handling processes, greater data storage centralisation, increased security of data processing and fewer complaints.
The University has initiated a project to oversee the institutional GDPR implementation preparations. The GDPR Working Group is chaired by Robert Dowling, the Academic Secretary, and has representation from all institutional business areas on it. It has developed a suite of policies and procedures to enable the University to achieve compliance, which have been approved by the Information Management and Security Steering Committee.
It is anticipated some business areas will be impacted by GDPR more than others, especially those with a marketing and/or outreach remit, hence efforts have been ongoing for some time to accommodate these particular needs. Importantly, the responsibility to report any personal data incident falls on any staff member (including contractors) who becomes aware of one.
The GDPR podcast briefing for staff is available here. We would recommend that all staff dealing with staff and/or student personal information watch the video.
Any school or department may also request a training session from the Information Compliance Team on any aspect of data protection compliance, including GDPR. A copy of the General Data Protection Regulation is available from EUR-Lex, the official source for European Legislation here
You can read our GDPR compliant Data Protection Policy here