GDPR: - Frequently Asked Questions

The GDPR will be enforceable law from May 25th 2018.

The GDPR states that Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13. As such, in the UK the age will be 13, not 16.

The UK government have confirmed that the UK will need to comply despite Brexit. On the 14th September 2017 the UK government published a Data Protection Bill that will exist alongside the GDPR and covers those areas of the GDPR that allowed for decisions to be made by individual member states, such as the powers of our own Data Protection Authority (the Information Commissioner's Office)

The GDPR applies to organisations located within the EU and to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

There is a tiered approach  to issuing penalties under GDPR.

1. Organisations can be fined up to 4% of annual global turnover, or €20 Million of annual global turnover (whichever is higher), for breaches that may occur. This is the maximum fine that can be imposed for the most serious infringements. e.g. loss of data, not notifying the Information Commissioner's Office (ICO) of a breach etc.
2. They can also be fined 2% of annual global turnover, or €10 million for not having sufficient records of their processing activities.  e.g.not identifying what processing they do, not notifying the data subject about processing, not delivering against the rights of the data subject etc.

The fines are significant and no doubt a driver for compliance, but can be avoided providing that the University, and our staff process data in the right way.

No, mandatory reporting is only required where the breach poses "a risk to the rights and freedoms of individuals". In such instances, without undue delay, and where feasible, we must report the incident to the ICO within 72 hours.

You must however report all suspected or potential data breaches to the University Data Protection Officer  (See below)

Yes. Any "near miss" or incident that occurs involving personal data should be flagged to the DPO so that it can be logged and investigated and so that they can assess the risk "to the rights and freedoms of individuals".

Whilst this may seem  excessive, particularly where it is obvious that it was "accidental", the University needs to know about it so that we can prevent similar incidents happening in the future with higher risk data. 

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Not always.  Consent is only one of several lawful grounds for holding and using people's data. For example, any uses that are for the purposes of contractual arrangements (including student/employee contracts) are unlikely to be on consent grounds. The University has produced guidance on Lawful basis for processing.

The conditions for consent have been strengthened, as organisations will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. 

Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.

Consent must be by a positive indication of the individuals intention i.e. "tick to opt-in" rather than a by passive "un-tick here to opt-out". Where consent has been obtained, it must be as easy to withdraw consent as it is to give it.