Legal Services


What does this mean for me


Ensure that you understand the existing data protection principles.
Ensure you can demonstrate compliance by:

  • Documenting your workflows
  • Ensuring you have a legal basis for processing, e.g. consent
  • Ensuring that you have an information asset register in place and it is up to date
  • Ensuring that you or your office have completed the Annual Data Holdings Survey
Personal Data

This means that almost any activity you perform relating to an individual will probably fall within scope of the GDPR.

If in doubt about whether it is personal data or not, err on the side of caution and assume that it is and that the GDPR applies.

Codes of Conduct

Staff are encouraged to follow the existing ICO’s codes of conduct opposite where they are relevant to their work, as this guidance offers a solid basis for compliance with GDPR.


This means that use of ‘opt outs’ or pre-ticked boxes are no longer an acceptable way to ensure consent. 

Ensure that any processing you are doing using consent meets this higher threshold.

Sensitive Personal Data

Make sure you are aware of this wider definition and only process it accordingly.
Check that you have a condition for processing this special category personal data, see Article 9.

Breach Notification

This means that all staff members must report personal data breaches immediately, in accordance with the UCL Incident Response procedure. Ensure that you and your team are familiar with it.


'If large quantities (more than 20 records) of personal information or sensitive personal data are transferred off UCL servers, then it should be encrypted using our encryption guidance.

Ensure you have taken the information compliance training - DP, FOI and Security.

Fair Processing Notices (FPNs)

If you collect personal data, ensure that your FPNs meet the new requirements in 13/14 of the GDPR. 

If you collect personal data and this processing is not covered by a privacy notice, UCL will breach the lawfulness, fairness and transparency principle.

Data protection by design and default

Data protection by design and default is a new approach to privacy that encourages consideration of data protection at an early stage of development.

Privacy Impact Assessment (PIA)

Under GDPR, PIAs are mandatory for high risk processing on a large scale or for new projects.

Subject Access

The time for response has been reduced to 30 days.

Data Portability

Under GDPR, data portability gives individuals the right to ask for their personal data to be provided to them in a commonly used and machine-readable format so they can reuse in other products and services.

It only applies to personal data that has been provided by the individual under contract or under consent.

This is different to the right of subject access.


Individuals are entitled to have personal data rectified if it is inaccurate or incomplete within a month.

Right to erasure (to be forgotten (RTBF)

Under GDPR, RTBF is a much broader right that allows individuals to request the deletion or removal of personal data in certain circumstances without concern for the threshold of damage or distress.

Other Individual Rights
  • right to be informed
  • automated decision making, including profiling
  • restricting processing
Data Protection Officer (DPO)

Under GDPR, a DPO is mandatory for UCL as a public authority and is given a much wider role, including:

  • to inform and advise of their data protection obligations
  • to monitor compliance with the GDPR
  • to provide advice on PIAs
  • to cooperate with the ICO
Contracts with Processors and Contractors

Under GDPR, agreements containing data protection clauses will need to be updated.