Legal Services


What can I do now?

Familiarise yourself with the GDPR

There is a very large amount of information available online and in the news. All staff are encouraged to visit the following websites to seek further information and details about GDPR:

Undertake current training:

Undertake the latest GDPR online training

Talk about Data Protection with your staff

This is not going to go away – Carphone Warehouse, BA… who’s next?

Engage with the online material available to you

For researchers it is paramount that you read and understand the following guidance pieces:

Guidance for researchers on the implications of GDPR and DPA (2018)

UCL statement on the use of 'Public Task' as a lawful basis for processing

If you are unsure about what your Data Protection risk is, complete a DPIA


Check the following items for all current/historical projects where personal data was collected.

  • Are you compliant with the Data Protection Act (1998)
  • Do you process personal data?
  • Do you retain personal data? 
  • Do you need to retain personal data?
  • Do you have any processes that need reviewing? 
  • Review the current UCL Data Retention Schedule to ensure you are keeping data within thespecific retention periods. If you find that you have been storing data beyond the retention date do not panic, undertake the following checklist:
    • Where is the data stored? If this is not on a UCL Managed Service (UCL S: Drive, UCL SharePoint, UCL One Drive, or any other UCL owned and managed storage), please contact your IT representative to make arrangements to move this data to UCL managed services.
    • Once the data move is completed, securely delete the data from the non-UCL storage device and document this deletion and the location of the data on UCL storage. If you are unsure how to securely delete this data please contact your local IT manager to provide initial assistance.
    • Document what data is stored and where it is stored on UCL managed services, when the data was collected, by whom and who the owner of the data is now. If these details are not known, take a decision within your department to assign a data owner.
    • Ensure that access to this data is restricted to those persons who require the data only.
    • Do not delete the data from the UCL managed services. Later in 2018, the GDPR programme will issue new guidance and processes for the deletion of personal data on UCL Managed service.
  • When the GDPR assessments are conducted across the University, please note this transfer to the GDPR project team who will log this information and include this as part of the wider Programme.
  • Research data containing ‘Special Categories Data’ should be stored on the UCL Data Safe Haven.
  • Discuss your data requirements with your IT representative and discuss the option of using UCL managed storage services. Do not store personal data on non-UCL managed services (e.g. Dropbox, Google Drive, Google shared document etc).
  • Discuss with your IT representative the use Encryption tools such as 7Zip (available free from the UCL software database).
  • If your department is using the S:Drive ensure your folders are restricted using role account access, and if required, encrypted.
  • Ensure that where you are using encryption and/or passwords, that these are stored separately.

If you need to transfer personal data inside or outside of the organisation:

  1. Ask yourself why? – Why are you sending this personal data? Could this data be sent without the personal details fields?
  2. If you still need to send the personal data use one of the following options:
    1. E-mail: Encrypt the file using 7Zip. Contact the recipient – not via e-mail - to tell them the password – DO NOT INCLUDE THE PASSWORD IN THE EMAIL WITH THE FILE!
    2. For internal UCL transfers:
      1. Create a shared folder on the S:Drive where you can save the file and grant the recipient access to the folder, and notify them when the file is ready for collection.
      2. If this is going to be regular task, create a SharePoint site. Restrict access to folders to the recipient only. Upload your file to the folder and notify the recipient that the file is ready for collection.
      3. Upload your file to UCL Onedrive. Share the link to the file with the Recipient.

For external UCL transfers:

Wherever possible use a secure web interface to transfer the data. Many regulatory bodies and/or companies have secure file transfer systems in place. Please discuss this with the receiving party.

If you have no other alternative, then encrypt the file using 7Zip and e-mail the file. If the file is too large for e-mail you can send the encrypted file using UCL Dropbox. DO NOT INCLUDE THE PASSWORD IN THE FILE TRANSFER. Contact the recipient and provide them with the password.

If you need assistance - Contact the UCL Service Desk.

Did you know? Sending an email is the same as sending a document in an unsealed and see-through envelope in the mail. E-mail is not encrypted, and therefore anyone can read it.

The information contained on these pages is intended to provide guidance on the GDPR to UCL staff only. It does not constitute wider legal advice on how to interpret data protection legislation. Where doubt exists, please contact the GDPR Programme for further guidance.