Ensure that my work is GDPR compliant

Data protection legislation (Data protection Act 2018 and GDPR)  applies to any identifiable information relating to persons. It requires UCL to adopt a proactive approach to data protection compliance.

Before you start

Data protection legislation gives people the right to know what information is held on them and requires the university to ensure that personal information is handled according to seven principles:  

  • Lawfulness, fairness and transparency;
  • Purpose limitation;  
  • Data minimisation;  
  • Accuracy;
  • Storage limitation;
  • Integrity and confidentiality; and 
  • Accountability.

In addition to the above principles, the legislation also introduces new requirements such as privacy by design, privacy impact assessments and tougher information security controls.

Every member of staff at UCL is expected to have completed information compliance training, which includes GDPR Training.

If you have not already done this, please do so at your earliest opportunity.

Please see step 2, below.

1. Understand how GDPR affects you

GDPR affects every part of the university and every operation that involves personal data i.e. information relating to an identified or identifiable living person. Everyone has an individual responsibility to help with the compliance effort.

2. Complete the relevant training

Information compliance training is mandatory for staff (including honorary staff) and PhD students.

3. Report any data breaches IMMEDIATELY

In cases where there has been a security incident involving personal information, UCL has only 72 hours to report such breaches to the Regulator.  

4. Follow email best practice

Please read and follow UCL’s Email Policy. There is also a guidance note on good email practice that you should follow.