Important changes to Data Protection Rules and Procedures
In May 2018 the General Data Protection Regulation (GDPR) will replace the current Data Protection Act (DPA) governing how the University is required to process personal data. The GDPR is an EU Regulation and will apply to the UK despite Brexit.
Issues around personal data (where they are held and how they are used) are becoming ever more important; the EU has developed the GDPR to strengthen the rights of individuals to be informed about how their personal data are processed, to restrict the processing that is allowed and to require correction or deletion of personal data in certain circumstances.
As well as increased fines for data breaches (the current maximum fine of £500,000 will be increased to €20 million), organisations are to be held more accountable for how they process and protect the personal data they hold. The GDPR will require the maintenance of detailed internal records of personal data processing, the preparation of data protection impact assessments for riskier processes and clearer privacy notices informing individuals about how their data will be used. Consent notices will have to be reviewed and revised to ensure that consent has been obtained in accordance with the new rules.
The main changes to the current regulations are:
- Transparency - more detailed and informative privacy notices are required; the purpose of, and legal basis for, processing must be explained.
- Consent - must be freely given, specific, informed and unambiguous; consent must be provided by clear affirmative action.
- Accountability - new requirements for demonstrating compliance; Privacy Impact Assessments required for new processing activities; data protection by design and default is expected.
- Children - new rules for consent to processing children's data.
- Sensitive personal data - called 'special categories of data' - extended to cover genetic and biometric data.
- Pseudonymisation - use of data in this form is encouraged, e.g. where data is used for statistical, historical or research purposes.
- Subject access requests - no charge for these; response required within one month rather than 40 days.
- Breach - stricter time limits for notification.
- Right to be forgotten - data subjects can request deletion of data.
- Portability - data subjects can request that data is made available in a portable format (a structured, commonly used and machine-readable form).
- Data processors - now have direct statutory obligations, as well as data controllers.
- International transfers - new rules for transfers outside the EEA.
- Fines for breach - maximum increased from £500,000 to £17 million (€20 million).
Further Information will be issued as necessary on the preparations for, and progress towards, ensuring that the University is ready for the new rules coming into force in May 2018.