UCL's preparations for the General Data Protection Regulation (GDPR)

There is just under a month to go before the General Data Protection Regulation (GDPR) comes into effect across the UK and EU.

As you may have heard, this introduces major new fines of €20m or 4% of global turnover for breaches of data security, and could result in our ability to collect and interrogate data being curtailed or stopped altogether. Given its importance we want to take this opportunity to give you an update on UCL's preparations for GDPR.

In January, the Senior Management Team approved the establishment of a three-year change programme: the UCL GDPR Preparedness Programme. Since then the programme has been busy designing a GDPR assessment package, engaging with staff across the university and drafting changes to policies and processes in the background. While much has been achieved so far, there is still a very large amount of work to be done in this year as well as in subsequent years of the programme.

Many staff are aware of the date which the regulation comes into effect, Friday 25 May 2018, and are concerned about UCLs compliance with the law from this date. I refer to Elizabeth Denham, the Information Commissioners recent 'Myth busting' blog and podcast where she notes that:

"Unlike planning for the Y2K deadline, GDPR preparation doesn't end on 25 May 2018 - it requires ongoing effort.

It's an evolutionary process for organisations - 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018."

The Data Protection Bill, which applies GDPR standards in the UK, is currently in its third reading in Parliament, and it is not clear when this will be published and come into law. It is therefore not possible to be fully compliant on day one, nor does the Information Commissioner's Office (ICO) expect us to be. The ICO does however expect us to be continually looking to identify the risks to privacy and addressing these.

To this end, UCL will introduce a series of changes, including:

· An updated Privacy Policy for the collection of staff and student data, with guidance for how departments/staff who require privacy notices for their areas of work can write their own privacy policy.

· Reviewing and amending the top 30 'high-risk processing' contracts, to bring these in line with GDPR.

· Publication of a staff briefing pack to outline what the GDPR means for you, your responsibilities and advice on guidance for how you can become compliant in your work.

· Launch of UCL's Data Protection Impact Assessment (DPIA) and guidance for completion.

Beyond this, the programme team have designed a GDPR screening survey which will be rolled out across the university at the departmental level in May this year. It has been designed to capture departmental information about data collection, processing, and storage practices. The survey will not gather any personal information about the respondent, and we will be issuing an 'amnesty' across the university regarding current data collection, processing, and retention practices. The survey is intended to be a tool for UCL to provide baseline understanding of its risk of non-compliance with GDPR, so that we can prioritise areas of concern for further investigation and action. This survey will also help us to identify areas where we may find 'quick wins' - small changes that can completely mitigate risks identified. We need staff to engage with this survey fully so that the university as a whole can become compliant.

The GDPR programme led a series of introductory lectures, as well as departmental meetings and we are pleased to report that over 3,700 staff have attended these events. This is a very good level of engagement, but the programme needs to do more.

In the coming weeks, the programme will be assessing UCL's legal basis for processing data. In the spirit of being open and honest with the public, UCL will publish its interpretation of GDPR.

The GDPR programme has also begun engaging with suppliers to procure new GDPR, information security, and information governance training. This will be rolled out later in the year to all staff.

In the meantime, staff are encouraged to visit the UCL GDPR website often. The website is updated regularly, and staff can find information about what they can do now, webinars about the GDPR, recordings of programme events, details about new policies and procedures as well as FAQs.

Lastly, we want to assure you that UCL is taking the incoming GDPR seriously. As a responsible university, we are aware of our obligations to students, staff and research participants, and we are working to achieve these. This will not happen overnight, but rather this will be delivered over a period of time as we adjust our working practices and behaviours to be compliant with the GDPR. There will be further updates throughout the year, and I thank you for your engagement so far.

If you have questions or queries about the GDPR please visit the UCL GDPR website in the first instance and should you need to, contact the GDPR team: GDPR@ucl.ac.uk.

Professor Michael Arthur, UCL's President & Provost

Professor Graham Hart, Dean of UCL Faculty of Population Health Sciences and Chair of UCL GDPR Project Board