Legal Services


GDPR - Essentials

Why is data protection changing?

The current Data Protection Act 1998 was based on a European Directive that was drafted in the early 1990s, in an era before the widespread use of the internet and explosion of mobile technology transformed the way we process personal information. As digital technology profoundly changed the way data is collected, accessed and used, the current data regime under the DPA has become increasingly obsolete.

The GDPR seeks to change this. It represents an evolution in data protection legislation, an effort to bring privacy law into the 21st century and give individuals more control over the way their personal data is used.

What does this mean for UCL?

The GDPR will impose new obligations on UCL, such as:

  • performing privacy impact assessments for high risk processing of personal data
  • reporting breaches of security to the Information Commissioner within 72 hours
  • protecting personal data to higher standards by using encryption and psuedonymisation
  • ensuring staff are trained in data protection
  • meeting the new, tougher standard for consent under the GDPR
  • setting out the legitimate bases for processing personal data clearly and transparently

Under the GDPR individuals will be empowered by a series of new or enhanced rights, such as:

  • the right to data portability of electronic data the right of erasure (right to be forgotten) improved rights of access to personal data
Will there be fines for non-compliance?

Yes - according to the ICO, fines will be ‘effective, proportionate and dissuasive’. They will have the power to fine organisations up to 20 million Euros, or between two and four per cent of world-wide turnover, for breaches of the GDPR. This represents a step change in terms of the scale of penalties imposed on organisations who fail to observe the data principles.

How is UCL preparing for GDPR?

UCL has established a GDPR Project board headed up by Project Executive Graham Hart who will manage a team of specialist staff to ensure that the University is well placed to meet this new challenge. UCL President & Provost, Michael Arthur, is the sponsor of this project and will oversee its delivery.

The challenge posed by GDPR is a significant and pervasive one, and every member of staff will have a role in ensuring we are compliant with the new data protection regime. 

What impact does Brexit have on the implementation of the GDPR?

None. The government has committed to implement fully the GDPR and the new Regulation will come into force on 25 May 2018.

What role will the Data Protection Officer (DPO) play?

The DPO will have a key role in the implementation of the GDPR, including:

  • monitoring compliance with the Regulation
  • informing and advising UCL of its obligations under the Regulations
  • providing advice on privacy impact assessments
  • acting as a contact point with the Information Commissioner
  • raising awareness around data protection generally
What can I do to prepare for the GDPR?

Read the Essentials table (pdf) and, if you have not already done so, undertake the information compliance training on Moodle.  Once logged on search for:

  • "Data Protection Act"
  • "Data Protection Quiz"
  • "Information Security Awareness v2
  • "Freedom of Information Act"
What else can I do?

Staff can take this opportunity to review the personal data they hold. We have all collected a great deal of personal data from staff, students or customers over the years, but many have never sought to check it for accuracy and relevance since.

First, check to see whether you need to keep the personal data you hold. Consider the UCL records retention schedule to see how long the personal data should be kept. You may need to double check that you no longer need the information by consulting with colleagues and management. If the personal data no longer has a valid purpose and can legitimately be deleted, delete it.

Deleting personal data against a records retention schedule reduces the information compliance risk enormously and is possibly the single most effective GDPR compliance measure you can take.

Look to managing your email more actively. Do not leave messages piling up for years on end without any form of management.

How can I best approach GDPR?

Don’t get bogged down in the Articles of GDPR. If you would like further reading, the ICO’s 12 steps are a good place to start.

The GDPR is an attempt to put individuals back in control of their data so that gives us a chance to think strategically about how we use that information and ask ourselves some questions:

  • can we improve the student/staff/partner experience by using transparency to build trust?
  • can we ensure they see the use of their data as a benefit to them?
  • how can we ensure our use of personal data does not lead to security incidents, which may damage our reputation and cost us in terms of fines?

Addressing these questions not only helps us comply with GDPR, but also helps us manage our information and our working lives more effectively.