XClose

UCL Centre for Languages & International Education (CLIE)

Home
Menu

GDPR is coming, but don't be afraid!

14 March 2018

gdpr

Remember the 25th May 2018, this is the day the General Data Protection Regulation (GDPR) comes into force in the UK. This legislation introduces sweeping changes to the ways in which personal data can be used.  These include:

  • Mandatory data breach notification within 72 hours
  • Much tougher requirements for data security, including encryption and pseudonymisation
  • New or enhanced individual rights, such as the right to be forgotten and the right to portability
  • Requirements for privacy impact assessments 
  • A new, restricted definition of consent
  • Data protection becomes a UCL Council-level issue
  • Increase in fines for non-compliance - up to 20 million Euros or 4% of worldwide turnover (whichever is the greater)
  • A new accountability principle requiring organisations to demonstrate compliance with GDPR  

The legislation puts an onus on all organisations to ensure that they put the right working practices and policies in place to protect individual privacy. This means ensuring that the principles of good practice in data protection, and concepts such as "privacy by design and default", are embedded in any project, research or activity that involves personal data. 

What is UCL doing?

UCL is in the process of implementing a GDPR programme which has three elements:

1. Mapping of all data held at UCL and undertake a GDPR assessment within each department to investigate what is required to reach compliance. 

These assessments have been developed with one of UCL's external law firms and break down the legislative requirements into critical questions for each department and division, to check that current practice observes the new data protection principles. 

Where change is required, the programme will work with departments and help deliver this. It may be that there are common changes across departments and, in this case, the programme will collate requirements and help deliver this in a structured manner.

2. Develop new information compliance training: to be rolled out later this year as a mandatory requirement for all staff.

UCL has agreed with the Information Commissioner to delivery mandatory training to all staff, but UCL also recognise that this is best practice for an organisation of its size and complexity. 

3. Undertake a review of all policies and processes at UCL to check that they are compliant with the incoming legislation. 

This review will only focus on GDPR-related matters. If a policy or process needs to be amended, it will be completed in line with a change management process, and in conjunction with the relevant governance group. 

For more details about the programme please see the UCL GDPR Website.

What can you do to prepare?

Familiarise yourself with the GDPR

In your teams start to think about your policies and processes

  • Are you compliant with the current DPA (1998)?
  • Do you process personal data? If so, why? And do you need to?
  • Do you retain personal data?
  • Do you need to retain personal data?
  • Do you have any processes that have not been updated for some time and need reviewing?