Legal Services


What will be new


Under GDPR, there is a new accountability principle, which means we must be able to demonstrate compliance with the principles.

In practice this means all uses of personal data need to be recorded in asset registers. These registers should include:

  • the purpose
  • the legal basis for processing
  • the retention period
Personal Data

Includes online identifiers, location data and online identifiers. Here is the full definition:

‘any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’

Codes of Conduct

No new Codes have been published for the GDPR yet.


Under GDPR consent means:

‘…any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to personal data relating to him or her being processed.’

Sensitive Personal Data

Under GDPR sensitive personal data is now called special category personal data and has been expanded to also include:

  • genetic
  • biometric personal data
Breach Notification

There is a new obligation to report breaches of personal data security to the ICO within 72 hours.


An obligation to encrypt high risk personal data and use pseudonymisation techniques to minimise exposure. All staff that handle personal data must take the data protection and information security training.

Fair Processing Notices (FPNs)

Under the GDPR, the requirements for FPNs have been expanded considerably to include things like:

  • legal basis of processing
  • retention periods
  • recipients of personal data
  • purposes for processing
  • rights for individuals

A full FPN requirement list can be found in Article 13 and 14 of the GDPR.

Data protection by design and default

Ensure that for new projects and systems, you can demonstrate that you have integrated data protection into your processing activities, e.g. use of privacy impact assessments (see below) and the ICO’s guidance.

Privacy Impact Assessment (PIA)

Staff responsible for systems or processing that is high risk or large scale, e.g. CCTV, must undertake a PIA.

For researchers, consideration of PIAs is now part of the data protection registration process.

Subject Access

Ensure you know about this right. 

Be professional in what you record, particularly in your emails as staff you write about may have the right of access to them.

Data Portability

Check whether this applies to your work, as the right only applies:

  • to personal data an individual has provided to UCL;
  • where processing is based on consent or for the performance of a contract; and
  • when processing is carried out by automated means.


If it does apply, then consider how you would meet requests.


Ensure that you can administer changes to personal data that is held on request.

Right to erasure (to be forgotten (RTBF)

Consider how this right applies to the personal data you hold.

Other Individual Rights
  • Check to see if any of these rights apply to your work and the personal data that you hold by checking the ICO’s guidance.
Data Protection Officer (DPO)

Consult where necessary.

Contracts with Processors and Contractors

Central guidance is being prepared, please prepare for contracts to be updated to GDPR standards.