General Data Protection Regulation (GDPR)
The new GDPR comes into effect in May 2018. It will replace the current Directive and apply to all EU member states without the need for national legislation. The implementation will require comprehensive changes to the way in which organisations, like UCL, collect, use and transfer personal data.
Orgainsations will need to adopt policies and procedures to ensure that they will comply with the new regulation. This page will provide information about the data protection reforms and what might happen next.
Please revisit this page as further information is posted.
What is the General Data Protection Regulation?
The General Data Protection Regulation (“GDPR”) will come into force on 25 May 2018. Together with the Data Protection Bill currently under consideration in Parliament, it will replace the Data Protection Act 1998 in the UK, imposing much stricter rules around how UCL uses personal data and far tougher penalties for non-compliance.
Why is data protection changing?
The current Data Protection Act 1998 was based on a European Directive that was drafted in the early 1990s, in an era before the widespread use of the internet and explosion of mobile technology transformed the way we process personal information. As digital technology profoundly changed the way data is collected, accessed and used, the current data regime under the DPA has become increasingly obsolete.
The GDPR seeks to change this. It represents an evolution in data protection legislation, an effort to bring privacy law into the 21st century and give individuals more control over the way their personal data is used.
What does this mean for UCL?
The GDPR will impose new obligations on UCL, such as:
- performing privacy impact assessments for high risk processing of personal data
- reporting breaches of security to the Information Commissioner within 72 hours
- protecting personal data to higher standards by using encryption and psuedonymisation
- ensuring staff are trained in data protection
- meeting the new, tougher standard for consent under the GDPR
- setting out the legitimate bases for processing personal data clearly and transparently
Under the GDPR individuals will be empowered by a series of new or enhanced rights, such as:
- the right to data portability of electronic data
- the right of erasure (right to be forgotten)
- improved rights of access to personal data
Will there be fines for non-compliance?
Yes - according to the ICO, fines will be ‘effective, proportionate and dissuasive’. They will have the power to fine organisations up to 20 million Euros, or between two and four per cent of world-wide turnover, for breaches of the GDPR. This represents a step change in terms of the scale of penalties imposed on organisations who fail to observe the data principles.
How is UCL preparing for GDPR?
UCL has established a GDPR Project board headed up by Project Executive Graham Hart who will manage a team of specialist staff to ensure that the University is well placed to meet this new challenge. UCL President & Provost, Michael Arthur, is the sponsor of this project and will oversee its delivery.
The challenge posed by GDPR is a significant and pervasive one, and every member of staff will have a role in ensuring we are compliant with the new data protection regime.
What impact does Brexit have on the implementation of the GDPR?
None. The government has committed to implement fully the GDPR and the new Regulation will come into force on 25 May 2018.
What role will the Data Protection Officer (DPO) play?
The DPO will have a key role in the implementation of the GDPR, including:
- monitoring compliance with the Regulations
- informing and advising UCL of its obligations under the Regulations
- providing advice on privacy impact assessments
- acting as a contact point with the Information Commissioner
- raising awareness around data protection generally
What can I do to prepare for the GDPR?
Visit our GDPR pages and read our ‘Essentials for staff’ and, if you have not already done so, undertake the information compliance training:
- Data Protection – available here
- Information security – available here
- Freedom of Information – available here
What else can I do?
Staff can take this opportunity to review the personal data they hold. We have all collected a great deal of personal data from staff, students or customers over the years, but many have never sought to check it for accuracy and relevance since.
First, check to see whether you need to keep the personal data you hold. Consider the UCL records retention schedule to see how long the personal data should be kept. You may need to double check that you no longer need the information by consulting with colleagues and management. If the personal data no longer has a valid purpose and can legitimately be deleted, delete it.
Deleting personal data against a records retention schedule reduces the information compliance risk enormously and is possibly the single most effective GDPR compliance measure you can take.
Look to managing your email more actively. Do not leave messages piling up for years on end without any form of management.
How can I best approach GDPR?
Don’t get bogged down in the Articles of GDPR. If you would like further reading, the ICO’s 12 steps are a good place to start.
The GDPR is an attempt to put individuals back in control of their data so that gives us a chance to think strategically about how we use that information and ask ourselves some questions:
- can we improve the student/staff/partner experience by using transparency to build trust?
- can we ensure they see the use of their data as a benefit to them?
- how can we ensure our use of personal data does not lead to security incidents, which may damage our reputation and cost us in terms of fines?
Addressing these questions not only helps us comply with GDPR, but also helps us manage our information and our working lives more effectively.
- The Impact of Brexit
The result of the EU referendum and the UK’s decision to leave the EU will have an impact on the GDPR in the UK. Whilst the final position is not yet clear the consensus of opinion is that the GDPR’s provisions will ultimately apply to the UK in one form or another. For example, if the UK remains a member of the Single Market/EEA the GDPR will continue to apply. If the UK leaves the Single Market it would appear likely that the UK Government will adopt GDPR provisions into national law in order to facilitate simple transfers of personal data between EU member states and the UK. The timing of the GDPR coming into effect also makes it possible that the new regulation will apply to the UK prior to any change of UK status.
Key points at a glance
- Consent must be unambiguous, freely given, specific and the data subjects should be informed for each purpose for which the data is being processed, especially if the purposes evolve overtime
- Must be ‘explicit’ for the processing of sensitive data, renamed special category data under GDPR. Explicit consent will require clear approval from the data subject e.g. a signed consent form.
- Obtained for each separate processing activity
- Data subjects will have the right to withdraw their consent at any time
- ‘Explicit’ consent must be received for transferring personal data outside the European Economic Area (EEA.
Consent within research
The GDPR will broadly replicate the current Data Protection Act 1998 (DPA). However, all researchers, will need to consider the different types of processing they carry out as part of this activity to ensure compliance.
While they can still rely on consent as a legal basis to process personal data for their research. A data subject must be given an easy way to withdraw it. Consent must still be ‘explicit’ for the processing of sensitive data, renamed special category data under GDPR. A data controller will need to demonstrate that such consent has been given.
UCL will continue to be a Data Controller under the GDPR for all personal data processed for UCL led research. In most circumstances students are responsible for ensuring that their research involving, living, identifiable individuals complies with the requirement of the DPA and from May 2018, the GDPR.
As with the DPA, the GDPR will require data controllers to have a legitimate reason for processing personal data. If researchers are to rely on the consent of the data subject, they must be able to demonstrate that it was unambiguous, freely given, specific and informed for each purpose for which the data is being processed. The consent can be given in writing (including electronically), or as an oral statement. The GDPR provides some clarity:
This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data.
Silence, pre-ticked boxes or inactivity should therefore not constitute consent.
This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent.
It is important to ensure that consent is obtained for each separate processing activity. Consent will not be valid if several purposes have been unnecessarily bundled together so that an individual has to accept all of them or none of them.
For example, retention of contact details to invite participants to take part in future research is a distinct processing activity to the initial research and therefore separate consent must be obtained. Likewise use of the images of participants collected as part of a research study at a conference is also a separate processing activity and individuals should not generally have to consent to this just to take part in the research study.
Under the GDPR data subjects will have the right to withdraw their consent at any time. Mechanisms should therefore be in place to ensure that the process is both simple and effective. They should also be informed of this right prior to giving their consent.
How long does consent last?
The GDPR is not specific about how long consent should last. However, any consent is likely to degrade overtime, how long it will last will be dependent upon the context of the original consent. . Some research activities may also develop over time and it will remain important to ensure that the processing of personal data is not used for purposes that go beyond the consent obtained, the consent should therefore be kept under review. There must be a clear affirmation of consent, it cannot be inferred from a failure to object, or indicate, to further uses, beyond what was originally specified. It is unlikely to be compliant to claim one-off consent remains valid several years after it was obtained if the research is continuing. Consideration should therefore be given as to how consent can be revisited.
The GDPR largely preserves the current DPA with regard to overseas transfer of personal data. For example, prohibiting transfers of personal data outside of the EEA unless certain conditions are met (adequacy).
Researchers should review their intended flows of personal data outside of the EEA, and consider what mechanisms they have in place to comply with the GDPR. For example, does the intended transfer involve a country which has an adequacy decision (deemed acceptable by the EU), or if based in the USA an organisation which has joined the EU-US Privacy Shield?
If you are intending to transfer personal data outside the EEA and the country has not been deemed to offer an adequate level of protection you will need to ensure that the transfer meets one of the other requirements of the GDPR, such as by use of standard contractual clauses or binding corporate rules (BCRs). Derogations (exemptions) are also permitted under limited additional circumstances. Explicit consent is one such derogation. If you know at the outset of your research that you intend to transfer personal data to another country you should inform data subjects of this and where necessary seek consent.
- Privacy Notice
The GDPR will place accountability obligations on data controllers to demonstrate compliance with the new regulations. This will introduce greater protection for individuals and give them more control over how their personal information is held, stored, used and shared.
To meet the enhanced privacy requirements, data controllers must be open and transparent about how they process a data subjects personal information.
A privacy notice is a statement, or document, that discloses the ways in which an organisation will obtain, record, hold, alter, retrieve, destroy or disclose, personal information.
UCL undertakes a wide range of processing, this is reflected in our existing privacy notices for students and alumni. In future there will be an updated alumni/supporter privacy notice covering the Office of the Vice Provost Development’s (OVPD) processing, a revised student notice detailing the overarching central uses of student personal data across UCL and a new staff privacy notice covering the uses of personal data for employment purposes. However, these won't cover all processing activities across UCL and those collecting and using personal data at the local level in departments and faculties will need to provide privacy notices of their own as will researchers processing personal data as part of a study.
The categories identified below, should provide a useful platform from which to deliver your privacy notice so they comply with the GDPR:
- details of the purpose and legal basis of the processing of the personal data;
- categories of personal data processed;
- details of how their personal information is to be used;
- information about security of their data;
- information about cookies used by a website;
- details of the recipients of the personal data;
- details of any transfers of personal data outside of the European Economic Area;
- right to complain;
- the period of time the personal data will be stored;
- individual rights – including how to make a subject access request and object to direct marketing.
The Information Commissioners’ Office (ICO) has published a revised Privacy Notices Code of Practice to assist organisations in preparing a clear and effective privacy notice.
- Data Holdings Survey
The current Data Protection Act 1998 (DPA), will be replaced with the General Data Protection Regulation (GDPR) from May 2018. While the GDPR will broadly replicate the DPA the GDPR will require data controllers, like UCL, to document the legal basis for its collection and use (processing) of personal data and to ensure this is communicated to the individuals whose personal data we are processing, the data subjects.
The GDPR defines personal data as: Any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.
The GDPR defines special category data (previously known as sensitive personal data) as: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; data concerning health or sex life and sexual orientation; genetic data; biometric data where processed to uniquely identify a person.
Information that does not fall within the definition of "personal data" is not subject to the data protection law.
Some of the key changes in the GDPR are listed below:
- Change to the definition of consent – Must be ‘unambiguous’ so no opt-outs or pre-ticked boxes. Has implications for the sending of marketing such as newsletters to alumni. Consent must also be obtained for each distinct use of an individual’s data (you can no longer package together multiple uses), and must be able to be withdrawn easily
- Privacy notices must be provided and must contain specific information, including details of retention periods and the legal basis for processing
- Data breaches must be reported to the Information Commissioner within 72 hours
- Data Protection Impact Assessments (risk assessments) must be completed for all new high risk processing e.g. anything with sensitive data such as health related information that identifies living people
- Personal data assets must be recorded
- Profiling requires consent e.g. Learning Analytics. This refers to use of so called ‘big data’ and using information to predict behaviours
- International transfers – Even tougher to send personal data to countries outside the European Union unless specific safeguards are in place
- The time limit for providing access to an individual’s personal data changes from 40 days to 30 days (with an extension possible in some specific cases)
- Data processors (companies or individuals providing processing personal data on behalf of a data controller) will be liable for their actions i.e. capable of being fined as well as the data controller. Contracts should reflect these new responsibilities.
- New accountability principle. Data controllers are required to document how they are compliant with the Regulation. Part of this requires the creation of a register of personal data assets held, showing what personal data is collected, how it is used, how it is secured, whether it is shared and how long it is retained.
The 2017 Data Holdings Survey will help UCL meet the new accountability requirements of the GDPR. In time we shall be working together with the Information Security Group to create more comprehensive asset registers of both personal data and business sensitive data and at that time the data holdings survey will be subsumed into that.
UCL intends to continue to undertake a similar survey each year, although the content is likely to change with the establishment of new data protection laws.
This year's survey was conducted online which it was hoped would made it easier to complete and enable us to produce useful analysis of the returns and run reports.
One submission from each department was required. This was to avoid multiple responses which will prevent the collation of the wider asset register which we are required to have under the new regulation.
We have received a number of queries relating to the survey. Whilst these kind of issues will be remedied as far as possible, we will use this feedback to improve our future surveys.
Aims for the future
We welcome, expressions of interest from departments to be involved in future pilot programs and of suggested themes. Please contact us by email firstname.lastname@example.org
- Further information
The Information Commissioner’s Office (ICO) has published a number of useful guides to help orgainisations understand the new framework which may or may not be implemented in the UK as a result of a post-Brexit UK/EU relationship. If it is decided that the UK is to remain part of the EEA then the GDPR would still apply and still have an impact on UK-based companies.