Legal Services


GDPR: Programme Plan and Progress

Overall Programme Plan and high level progress reports. This page will be updated shortly.

On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into force across the European Union (EU). This legislation introduces sweeping changes to the way in which personal data can be collected, used, retained and deleted. Furthermore, it significantly increases the penalties for non-compliance – 20million Euros or four percent of worldwide turnover.

Essentially GDPR is about accountability and transparency; being clear with people about how their data is used and putting high standards of data protection at the centre of how we do business

To meet the challenge of compliance posed by GDPR, UCL has established a GDPR Programme that will provide strategic planning and action change.

The GDPR Programme is broken down into two phases to make it more manageable and to accelerate delivery where possible.

 The two phases are:

Phase 1 – Investigation, emphasises an evidence-based approach to inform decision-making, such as prioritising high-risk areas then recommending controls to mitigate risk. Phase 1 has four workstreams: Non-Research Data, Research Data, Training and Policy & Process and will be completed by December 2018

Phase 2 - Implementation, puts in place  the recommendations made in Phase 1 and monitors  compliance progress, this phase will commence after December 2018