What does this mean for me
Ensure that you understand the existing data protection principles.
Ensure you can demonstrate compliance by:
- Documenting your workflows
- Ensuring you have a legal basis for processing, e.g. consent
- Ensuring that you have an information asset register in place and it is up to date
- Ensuring that you or your office have completed the Annual Data Holdings Survey
- Personal Data
This means that almost any activity you perform relating to an individual will probably fall within scope of the GDPR.
If in doubt about whether it is personal data or not, err on the side of caution and assume that it is and that the GDPR applies.
- Codes of Conduct
Staff are encouraged to follow the existing ICO’s codes of conduct opposite where they are relevant to their work, as this guidance offers a solid basis for compliance with GDPR.
This means that use of ‘opt outs’ or pre-ticked boxes are no longer an acceptable way to ensure consent.
Ensure that any processing you are doing using consent meets this higher threshold.
- Sensitive Personal Data
Make sure you are aware of this wider definition and only process it accordingly.
Check that you have a condition for processing this special category personal data, see Article 9.
- Breach notification
This means that all staff members must report personal data breaches immediately, in accordance with the UCL Incident Response procedure. Ensure that you and your team are familiar with it.
- Fair Processing Notices (FPNs)
If you collect personal data, ensure that your FPNs meet the new requirements in 13/14 of the GDPR.
If you collect personal data and this processing is not covered by a privacy notice, UCL will breach the lawfulness, fairness and transparency principle.
- Data protection by design and default
Ensure that for new projects and systems, you can demonstrate that you have integrated data protection into your processing activities, e.g. use of privacy impact assessments (see below) and the ICO’s guidance.
- Privacy Impact Assessment (PIA)
Staff responsible for systems or processing that is high risk or large scale, e.g. CCTV, must undertake a PIA.
For researchers, consideration of PIAs is now part of the data protection registration process.
- Subject access
Ensure you know about this right.
Be professional in what you record, particularly in your emails as staff you write about may have the right of access to them.
- Data portability
Check whether this applies to your work, as the right only applies:
- to personal data an individual has provided to UCL;
- where processing is based on consent or for the performance of a contract; and
- when processing is carried out by automated means.
If it does apply, then consider how you would meet requests.
Ensure that you can administer changes to personal data that is held on request.
- Right to erasure (to be forgotten (RTBF))
Consider how this right applies to the personal data you hold.
- Other individual rights
Check to see if any of these rights apply to your work and the personal data that you hold by checking the ICO’s guidance.
- Data Protection Officer (DPO)
Consult where necessary.
- Contracts with processors and contractors
Central guidance is being prepared, please prepare for contracts to be updated to GDPR standards.