The General Data Protection Regulation

(GDPR)

DR. VIKRAM DHIMAN

G I TA M
Purpose of GDPR
The General Data Protection Regulation (GDPR) is a robust privacy and security law that has
global implications. Let’s delve into its purpose and significance:

Key Goals and Purpose:

1. Enhancing Control: The GDPR aims to give consumers control over their personal data. Companies are
held responsible for how they handle and treat this information.

2. Simplifying Regulations: It supersedes the previous Data Protection Directive and simplifies
terminology, making it easier for international businesses to comply.

3. Coordinating EU Legal Landscape: By replacing the 1995 directive, the GDPR establishes a single
framework for personal data protection across all EU Member States.
What are the three main goals of the GDPR?

The objectives of the GDPR are:

1. Homogeneous protection of personal data across the EU Member States. The GDPR has
coordinated the European legislation on the use of personal data.
2. Increased accountability. ...
3. A simplified and lighter legal framework on the processing of personal data.
What is the primary purpose of the GDPR?

This Regulation protects fundamental rights and freedoms of natural persons and in particular
their right to the protection of personal data.
What are the 4 key components of GDPR?

The 4 key components of GDPR are:

Data Protection Principles.
Rights of Data Subjects.
Legal Bases for Data Processing.
Responsibilities and Obligations of Data Controllers and Processors.
Historical Context:
◦ The right to privacy has been part of the European Convention on Human Rights since 1950.
◦ In 1995, the EU introduced the European Data Protection Directive, setting minimum data privacy and
security standards.
◦ As technology evolved, the GDPR emerged to address modern challenges, including breaches and
increased reliance on cloud services.

In summary, the GDPR serves as a comprehensive framework to

safeguard individuals’ privacy rights and promote responsible data
handling in an interconnected world.
Introduction GDPR
The data protection package aims at making Europe fit for the digital age. More than 90% of
Europeans say they want the same data protection rights across the EU and regardless of where
their data is processed.
 What is the GDPR
◦ The GDPR is the toughest data protection law worldwide, drafted and passed by the European Union
(EU).
◦ It applies to organizations globally, as long as they collect or target data related to individuals in the
EU.
◦ The regulation came into effect on May 25, 2018.
◦ It imposes strict obligations regarding privacy and security standards, with potential fines
reaching millions of euros for violations1.

It aims to improve consumer protection and general levels of privacy for individuals, includes
mandatory reporting of data protection breaches and has an increased emphasis on gaining
explicit consent to process information.
 Data Protection Bill
The UK will also replace its current Data Protection Act
(1998) in the next few months, incorporating the GDPR
requirements. The Data Protection Bill is currently going
through the relevant parliamentary processes (it has
gone through the House of Lords and is currently in the
House of Commons on its 2nd reading).
The advice from the Information Commissioner’s Office is
that many of the GDPR’s main concepts and principles
are much the same as those in the current Act, and
therefore if we are complying properly with the current
law then most of our approach to compliance will remain
valid under the GDPR and the new Bill, and will give us a
starting point to build from.
However, there are new elements and significant
enhancements, so we will have to do some things for the
first time and some things differently.
The GDPR - new and changed concepts from the Data
Protection Act 1998

• Transparency and consent issues – information to be provided to individuals, and

permissions required from them

• Children and consent for online services

• Data – changes to the definitions of personal and sensitive data

• Breach notification

• Enhanced individual rights

 The GDPR - new and changed concepts from the Data
Protection Act 1998
•Pseudoanonymisation
This is a new definition which refers to the technique of processing personal data in such a way that it can
no longer be attributed to a specific individual, without the use of additional information which must be
kept separately and be subject to appropriate security to ensure non-attribution. Pseudoanonymised data is
still a form of personal data but its use is encouraged (e.g. for extra security of the data, for historical /
scientific research or for statistical purposes).
•Data Protection by design
Under the GDPR, we have a general obligation to implement technical and organisational measures to show
that we have considered and integrated data protection into our processing activities.
We have to adopt “data protection by design” measures. This means that the requirements of data
protection legislation must be considered at the very start of any project which involves the processing of
personal data. We will need to consider how any new system, or any changes to current systems, will impact
on the individuals whose data we will collect / or we already hold.
e.g. are we changing how / where we store the data, are we sharing the data with third parties that we
didn’t share with previously, are we processing the data differently from previously … ?
Scope of the GDPR
Any / all information relating to an identified or identifiable individual e.g.
◦ Information held in manual form or printed out
◦ Emails, databases, spreadsheets etc.
◦ Photographs on web sites, marketing photographs, ID Cards and Passes;
◦ CCTV images (both central CCTV system and any localised systems / webcams)
◦ Web pages
◦ Information which may be associated with online identifiers provided by devices,
applications, tools and protocols, such as internet protocol addresses, cookie identifiers or
other identifiers.
Definition of Personal Data
The definition of personal data (personal information) is simplified in the GDPR:

 Any information relating to an identified, or identifiable natural person (the data subject).

What does this mean in practice?

All staff, students, research subjects, alumni, members of the public etc.
where we hold their data – “identified”
Also includes, for example, pseudo anonymous individuals where the University
also holds the additional information to identify them - “identifiable”
 Legitimate Grounds for Processing Personal Data

Necessary for the performance of a contract with the data subject, or to take steps to prepare for a contract
The University needs to enter into an employment contract with you to pay you in accordance with your contract, to
ensure you are subject to it’s policies, regulations and rules and to administer your pension entitlements. These processes
will involve the processing of your personal and special categories data.

Necessary for compliance with a legal obligation

This would be in relation to UK or EU law only and the action undertaken should be foreseeable to those subject to it.
Common law obligations may also be sufficient.
If we’re relying on a legal obligation to process we still need to draw this to the attention of the individuals. For example
the University would need to process data e.g. to check an employee's entitlement to work in the UK, to deduct tax or to
comply with health and safety laws. In our privacy notice, or data collection notice we need to make sure that we
reference all the processing activities undertaken under a legal obligation. Remember using this ground for processing
should be foreseeable to the individual.
 Legitimate Grounds for Processing Personal Data

Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving
consent
This condition is very tightly drafted, and can only be relied upon when there is no other available grounds for processing
the data, e.g. for medical emergencies. A ground for processing necessary for humanitarian purposes as well (e.g. disaster
responses).

Necessary for the performance of a task carried out in the public interest or as a consequence of an official authority
vested in the institution (“the public task”)
Only where the task is laid out in UK or EU law to which the University is subject.

Necessary for the purposes of legitimate interests pursued by the University

If you are relying on this you need to document your assessment of why the processing is legitimate. Have you considered
the rights and freedoms of data subjects?
 The public task
We can rely on this lawful basis if we need to process personal data:

• ‘in the exercise of official authority’. This covers public functions and powers that are set out in law;
or
• to perform a specific task in the public interest that is set out in law.

We don’t need a specific statutory power to process personal data, but our underlying task, function or power must
have a clear basis in law; The processing must be necessary. If we could reasonably perform our tasks or exercise our
powers in a less intrusive way, this lawful basis does not apply.

Universities are likely to be classified as public authorities, so the public task basis is likely to apply to much of our
processing, depending on the detail of our constitution and legal powers.

For example, we might rely on public task for processing student personal data for teaching and research purposes; but
we may need to rely on a mixture of legitimate interests and consent for alumni relations and fundraising purposes.

The university needs to consider its basis carefully – we have to document our decision to help demonstrate
compliance if required. We should be able to specify the relevant task, function or power, and identify its statutory or
common law basis.
 What is a legitimate interest basis for the University?
The legitimate interest basis for processing would be most appropriate where the University is using individuals’ data in
ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification
for the processing. For example in relation to members of staff the University would rely on the fact that it had
legitimate interest in processing personal data before, during and after the end of the employment relationship to:

• run recruitment and promotion processes;

• maintain accurate and up-to-date employment records and contact details (including details of who to contact in the event of
an emergency), and records of employee contractual and statutory rights;
• operate and keep a record of disciplinary and grievance processes;
• plan for career development, and for succession planning and workforce management purposes;
• operate and keep a record of absence and absence management procedures, to allow effective workforce management;
• obtain occupational health advice, to ensure that it complies with duties in relation to individuals with disabilities and to meet
its obligations under health and safety law;
• operate and keep a record of other types of leave (including maternity, paternity, adoption, parental and shared parental
leave), to ensure the University complies with duties in relation to leave entitlement, and to ensure that employees are
receiving the pay or other benefits to which they are entitled;
• ensure effective general HR and business administration;
• provide references on request for current or former employees; and
• respond to and defend against legal claims.
 Legitimate Grounds for Processing Personal Data
Consent
Consent is only one of the legitimate grounds for processing personal data under the GDPR. It should only be
used where an individual is offered a genuine choice to either accept or decline what is being offered without
suffering any detriment. It would not be appropriate to rely on consent if, for example, the individual had no
choice but to use the service or to accept the terms. e.g. access to free wifi only if the user consents to receiving
marketing materials would be unacceptable as the two things are unrelated.
GDPR has a narrower view of what constitutes consent than current legislation. Consent must be a freely given,
specified, informed and unambiguous indication of an individual’s wishes.
There must be some form of clear affirmative action – a “positive opt in”. Consent cannot be inferred from
silence, pre-ticked boxes or inactivity. Implied consent will no longer be an option.
Consent must be as easily revoked as it is given, and therefore clear processes should be in place for individuals to
withdraw consent.
Blanket consent for a number of processing activities is now unlikely to be valid, there needs to be consent
processes for each separate element of data processing
Legitimate Grounds for Processing Personal Data

Things to do now if you are relying on consent to process data:

Identify where you are relying on consent to process personal data / special categories data:
• Review how you collect the consent (information sheets, data collection notices, forms etc.)
• Make sure you are collecting a freely given, specified, informed and unambiguous indication of an
individual’s wishes (what are you telling them?);
• Can you offer individuals the opportunity to consent to certain areas of the processing and utilise a
“positive opt in” – e.g. a tick box process? This could be useful for research projects.
• Consider how individuals can revoke their consent? Is it clear from your documentation / website? It
needs to be as clear as the process you utilised to collect the consent, and individuals should be able to
notify you through the same medium.
• What do you do with consent already collected?
 Special categories of personal data
Special Categories of Data (previously known as “sensitive personal data”) are broadly unchanged from
those listed in the current Data Protection Act. Under the GDPR they are:

• racial or ethnic origin;

• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• data concerning health or sex life and sexual orientation;
• genetic data (new); and
• biometric data where processed to uniquely identify a person (new).
 Grounds for Processing Special Categories of Data

Explicit Consent
The same stringent consent threshold is required as with personal data – freely given, specific, informed and unambiguous
indication of an individual’s wishes.

Necessary for obligations under employment, social security or social protection law, or a collective agreement - This is a wider
definition than within current legislation and is allowed in so far as it is justified by UK or EU law, or by collective agreement.
Providing there are appropriate safeguards for the rights and interests of the individual.

Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent
This condition is very tightly drafted, and can only be relied upon when there is no other available grounds for processing the data,
e.g. for medical emergencies

Data made public by the data subject

Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity - This is
a wider definition than within current legislation
 Grounds for Processing Special Categories of Data
Necessary for reasons of substantial public interest
Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity
of the employee, medical diagnosis, the provision of health or social care or treatment or management of
health or social care
This provision provides a formal legal justification for regulatory uses of healthcare data in the health and
pharmaceutical sectors, and by providing for the sharing of health data with providers of social care
Necessary for reasons of public interest in the area of public health
Necessary for archiving purposes in the public interest, or scientific and historical research purposes or
statistical purposes
This is a new condition under the GDPR and provides that special categories data can be processed for the
purposes of archiving, research and statistics. Pseudoanonymisation procedures would very likely need to
be considered if we were relying on using this ground for processing.
 Criminal Convictions and Offences
Data in relation to criminal convictions and offences are not categorised as
“sensitive” under the GDPR, which they were under the Data Protection Act 1998
However, they have not lost their sensitivity and the GDPR states that this type of
data can only be processed under the control of an official authority or where
the processing is authorised by UK or EU law, which provides appropriate
safeguards.
There will be a specific section within the Data Protection Bill relating to law
enforcement which will deal with processing for the prevention, detection,
investigation, or prosecution of criminal offences or the execution of criminal
penalties.
 Data Protection Principles
1. Data processed lawfully, fairly and in a transparent manner ('lawfulness, fairness and transparency')
The inclusion of the principle of transparency is a new provision within the GDPR.

2. Data obtained for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those
purposes
The current DPA 1998 has similar restrictions on the processing of data. The GDPR provisions include processing for public interest and/or
scientific purposes, widening the scope for further processing. Archiving, scientific / historical research or statistical purposes would not
been seen as incompatible with this purpose. However there would be a need to consider pseudo anonymising the data.

3. Data processed is adequate, relevant and limited to what is necessary

Current DPA 1998 uses the term excessive, the GDPR requirements take the opposite view and only permits processing of data that is
necessary.

4. Data is accurate and, where necessary, kept up to date

There are new rights for individuals in the GDPR e.g. data erasure, data correction etc. which will impact on this principle
 Data Protection Principles
5. Data should not to be kept longer than is necessary for the purpose
The GDPR expands the list of exceptions permitting the storage of data for longer periods where the data is being processed for archiving
purposes in the public interest and/or scientific purposes, and in addition for statistical or historical purposes.

6. Appropriate technical and organisational measures against unauthorised or unlawful processing, loss, damage or destruction

Accountability
The University is responsible for demonstrating that we comply with the six principles
 Data processed lawfully, fairly and in a transparent manner
Lawfulness
What are your grounds for processing both personal data and special categories data? There are no grounds for “it may be useful”. Remember consent is only
one of the grounds you can rely on there may be others that are relevant. If you are relying on consent ensure the quality of this consent – does it meet the
new requirements?

Fairness
If you are relying on consent it must be a freely given, specified, informed and unambiguous indication of an individual’s wishes. Ensure there is a form of clear
affirmative action – a “positive opt in”. What information are you giving individuals in order for them to make the choice.

Transparency

The University’s privacy notice will be updated, however consider whether you need your own privacy notice for specific processing activities. Make sure that
any notices you use are comprehensive and clear, written in plain language, in an easily accessible format.

Where is the information located? Can the individual reasonably be expected to locate the privacy notice, and to make an informed decision to grant consent
(where necessary)? Are you informing the individual why you are collecting the data, and what grounds you are relying on? (i.e. if you are not relying on
consent what are you relying on, make this clear)

Make a decision up front on issues such as archiving so that you can inform the individuals how long you will be keeping their data for.
 Data obtained for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes

Purpose Limitation

Decide what your basis is for collecting the personal information / special categories information and make this known to the individuals concerned
e.g. in any T&Cs, on your website, in any literature.

Make sure you consider whether you need to draft your own privacy policy for the processing, or whether you link to the University policy. Have a
clear data collection statement which is explicit with regard to use of the data. This is essential in order to ensure specified, informed and
unambiguous consent. Make sure you include the retention period for the data.

The GDPR also sets out rules on factors to be taken into account to asses whether a new processing purposes fits with the purpose originally
communicated to the individual:

- Is there any link between the original and proposed new purpose?
- The context in which the data was collected
- The nature of the data (is it special category or criminal offence data)
- The possible consequence of the new processing
- The existence of safeguards such as pseudoanonymisation / encryption

Processing for archival purposes in the public interest, for scientific and historical research purpose or statistical purposes should be considered
compatible with the original purpose.
 Data processed is adequate, relevant and limited to what is necessary

Data minimisation

Only collect and use what you actually need in order to carry out the purpose, and importantly,
only what is compatible with the reasons and purposes which the individuals were informed of,
or the purposes for which you are legally entitled to hold the information.*

*Always refer back to your privacy notice / data collection notice

Importantly don’t collect (or hold) any data “in case it might come in handy”
Data is accurate and, where necessary, kept up to date
Accuracy

Make sure that any personal data, or special categories data, collected is recorded accurately.

Every reasonable step must be taken to ensure that any data found to be inaccurate is erased or
rectified without delay, and in any event within a month of receiving a request from the
individual.

The individual needs to notify us of any change in their data. However we should also check
periodically to make sure the data is still up to date.
 Data should not to be kept longer than is necessary for the purpose
Storage Limitation

We cannot hold data which permits identification of individuals any longer than is necessary for the purpose
notified to the individual in our privacy notice / data collection notice etc.

Data can be held for longer as long as this is for the purpose of archiving, or for scientific or historical research, or
for statistical purposes. Remember that when you have archived the data, or if you are using it for scientific
/historical research or for statistical purposes it still comes under the principle requiring appropriate technical and
organisational measures to be in place. Consider pseudoanonymisation at this stage.

Once the purpose for holding the data is no longer valid or the assigned retention date has passed you should not
continue to hold the information (see also principle 6)

We have a legal responsibility to make sure that the information is held securely, and that it is securely disposed of
at the end of the retention period
 Appropriate technical and organisational measures against unauthorised
or unlawful processing, loss, damage or destruction
Integrity and confidentiality

This principle applies to both personal and special categories data which must be kept secure. The data must be processed in a manner
that ensures appropriate security, including protection against unlawful processing, accidental loss, destruction or damage.

The information must only be available to those with a right to see it. Matters to consider:-

◦ Transferring information from one section / function / department to another, or transferring externally – it’s often essential to do this – but
consider what information actually needs to be transferred, to whom and how is it possible to ensure the confidentiality and the security of the
information. Remember even if we are transferring data it is still our responsibility to ensure its safety.

◦ Information is disclosed to members of staff in order for them to carry out their specific roles. This information should not under any
circumstances be disclosed or handed over to anyone other than those with a need to see it.

◦ Staff must be careful with memory sticks, laptops and other portable media – use encryption / passwords etc. Consult the University’s
Information Security Policy.
 Information Security
Paper records
Appropriate storage for paper / manual records would include:

◦ Locked metal cabinets with keys limited to authorised staff only;

◦ Locked drawer in a desk (or other storage area) with keys limited to authorised staff only;
◦ Locked room accessed by key or coded lock where access to the key/code is limited to authorised staff only.

Does your School / Department have a clear desk policy? If not are there any risks to having paperwork out on the desk overnight / at
weekends?

Appropriate disposal for paper / manual records would either be:

◦ Secure disposal via an accredited confidential waste disposal company

Or
◦ Shredding (best practice would suggest use of a cross-cut shredder)
Information Security
Electronic records and Database Systems

◦ Never disclose your password

◦ Ensure your password is robust – change it regularly
◦ Always log off, or lock a workstation before leaving it
◦ When working on confidential work and / or on work involving personal data make sure no one else can read your screen
◦ Protect equipment from physical theft (especially laptops and memory sticks)
◦ Store all data on the University network so that it is backed up regularly
◦ Remember to back up and secure work mobile devices (laptop / phone) as well
◦ When sending emails internally or externally it is essential to check that the appropriate recipient has been selected, before
sending the message
◦ Be careful with attachments – check they are the right ones before pressing “send”. Before forwarding attachments at all check that
the information is not available to the recipient by other secure means e.g. “One Drive”
◦ Particular care is required when forwarding emails, in particular ones with attachments so that information is only sent to people
with a real ‘need to know’.
 Accountability
The University is responsible for and should be able to demonstrate compliance with the six principles.
What does this mean in practice?
1. Adherence to approved policies and codes – how can we measure this?
2. Robust “paper trails” of decisions relating to data processing. Good records management is
essential.
3. Staff Training – ensure all staff know about data protection legislation and encourage attendance
4. Where appropriate use Privacy Impact Assessments which is an assessment carried out to identify
and minimise non-compliance risks, especially on “high risk” processing (e.g. substantial
processing of special categories data)
5. Audits of compliance though internal / external auditors
6. Use of Data Protection by Design measures (e.g. use of pseudoanonymisation)
7. Regular reports to the Compliance Task Group
 GDPR: Individual Rights
The right to be informed (privacy notice / data collection notice)
The right of access (subject access request)
The right to rectification (if data is inaccurate or incomplete)
◦ We must respond to a request for rectification of data within a month, if rectification isn’t possible the individual must receive an explanation as to why
that is

The right to erasure (previously known as the right to be forgotten)

◦ This does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent
processing in specific circumstances:
◦ Where the personal data is no longer necessary for the purpose for which it was originally collected/processed
◦ Where the individual withdraws consent, or objects to the processing and there is no overriding legitimate interest for continuing the processing.
◦ Where the data is being processed on the basis of the University’s legitimate interest, the individual objects, and the University cannot demonstrate that there are
overriding legitimate grounds for the processing
◦ If the information has been shared with others it is the University’s responsibility to inform them of the individuals request for data
erasure.
◦ The right to erasure does not apply
◦ For the exercise of the right of freedom of expression and information;
◦ For compliance with a UK or EU legal obligation
◦ For the performance of a public interest task or exercise of official authority
◦ For public health reasons
◦ For archival, research or statistical purposes
◦ If required for to establish, exercise or defend legal claims
 GDPR: Individual Rights
The right to restrict processing
◦ Where an individual contests the accuracy of the personal data, where an individual has objected to the processing and the
organisation is considering their legal reason for processing, where processing is unlawful and the individual opposes erasure and
requests restriction instead, where the organisation no longer need the personal data but the individual requires the data to establish,
exercise or defend a legal claim.
◦ The University can store the data, but cannot process it any further unless the individual consents or the processing is necessary to
establish e.g. a legal claim, to protect another person

The right to data portability

◦ The University must respond within a month. Allows individuals to move, copy or transfer personal data in order to obtain and reuse
for their own purposes across different services. Information must be provided in a structured, commonly used, machine readable
form. The right to data portability does not apply to paper only records.

The right to object

◦ to direct marketing : this is an absolute right
◦ To processing for scientific / historical research / statistical purposes : there must be grounds which specifically relate to the
individuals situation
◦ To processing for legitimate interests / public interest : important that the University is able to justify why we are relying on
these grounds for processing
Rights in relation to automated decision making and profiling
◦ Establishes safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. We
must identify whether any processing operations constitute automated decision making and consider whether appropriate
procedures are needed to deal with the requirements of the GDPR.
The right to be informed

The GDPR requires us to be transparent and to provide accessible information to individuals about how we use their information. The usual way in which to
provide this information is through the use of a “privacy notice”. The term “privacy notice” is used to describe all the different ways in which an organisation can
provide privacy information to individuals – on the web, in any literature etc. The privacy notice needs to be comprehensive.

The starting point of a privacy notice should be:

◦ Who is “Bangor University”; and if it is a specific notice, then it should also include who is the school / department;
◦ What is the University going to do with individuals’ information – the purpose for collecting it
◦ Who will it be shared with – important to include everything;
◦ Details of any transfers outside the EU (as we are an international University this may be relevant);
◦ The retention period for the data (consult the records retention schedule);
◦ The individuals right to access the data and to rectify, erase and restrict its use;
◦ The Complaints process (including to the Information Commissioner’s Office)
◦ Whether there’s a statutory or contractual requirement to provide the data and the consequences of not providing it;
◦ If there is any automated decision making;
◦ What is the source of the data (including if it is from a third party source who they are).

The Privacy Notice must be provided at the point in which the individual hands over the data. We can’t assume because someone engages with one service that
they would be happy for their data to be transferred to another service. If the data isn’t obtained directly from the individual, the University should provide the
Privacy Notice to the individual within a month of receiving the data
 The right of access

Individuals have the right to be told whether the University is processing their personal data, and to receive a copy of that data.
The individual also has the right to be provided with supplemental information about the processing (purpose of processing,
categories of data processed, recipients, retention period, their right to erasure / rectification, the source of the data)

In order to make a request to see / obtain a copy of the information an individual should make a request in writing. Within the
University the request should be made to [email protected] or by post to Lynette Hunter in Corporate Services.

There is no charge for making the request, and the request must be dealt without delay, and at the latest within one month of
receipt of the request.

Matters to consider
- Can we make data more accessible to individuals so they can see the information themselves without needing to use the right of
access procedure.
- Are we making students aware that they can see and amend data within MyBangor?
- Can we deal with a request for portability of data – which data can be easily exported in structured, machine readable formats?
 Children’s Personal Data in the digital environment
The GDPR contains new provisions intended to enhance the protection of children’s personal data in the digital
environment. In the GDPR children are identified as those who require specific protection under the regulations.
Will the rules in relation to children affect you?
Proposals in relation to online services would mean children aged 13 years old or above would be able to consent to their
data being processed. For children under 13 years old their parents or guardians would need to consent. Withdrawing
consent will also be simplified for children.
Privacy notices for children
Where services are offered directly to a child, organisations must ensure that the relevant privacy notice is written in a
clear, plain way that a child will understand.

Children’s personal data for all other circumstances

For all other data protection issues, children can make their own decisions if they have capacity or Gillick competency:
"...whether or not a child is capable of giving the necessary consent will depend on the child’s maturity and understanding
and the nature of the consent required. The child must be capable of making a reasonable assessment of the advantages
… so the consent, if given, can be properly and fairly described as true consent”
 Transfer of data outside the European Union
Transfers of personal data outside the EU continue to be regulated and restricted in certain circumstances. The University
can transfer data outside the European Union where the receiving organisation has provided adequate safeguards.
Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the
transfer.

Examples of adequate safeguards would be:

• a legally binding agreement between public authorities or bodies;
• binding corporate rules (agreements governing transfers made between organisations within in a corporate group);
• standard data protection clauses in the form of template transfer clauses adopted by the Commission;
• standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the
Commission;
• compliance with an approved code of conduct approved by a supervisory authority;
• certification under an approved certification mechanism as provided for in the GDPR;
• contractual clauses agreed authorised by the competent supervisory authority; or
• provisions inserted in to administrative arrangements between public authorities or bodies authorised by the competent supervisory
authority.
 Transfer of data outside the European Union

Any current data protection clauses which are put into contracts will need to be updated to ensure they
remain compliant with the GDPR requirements and new data protection legislation.

To do now:

• review and map key international data flows,

• consider what data transfer mechanisms you have in place and whether these will continue to be appropriate,
• review contract clauses to ensure the requirements remain compliant
 Personal or Special Categories Data Breach
The GDPR will introduce a duty on all organisations to report certain types of data breach to the Information
Commissioner’s Office (ICO), and in most cases also to the individuals affected.

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised
disclosure of, or access to, personal data / special categories data.

The University will have to notify the ICO where the breach is likely to result in a risk to the rights and freedoms of
individuals, and must do so within 72 hours.

Failing to notify a breach when required to do so can result in a fine, in addition there will be a significant fine for
the breach itself … up to 10 million Euros or 2 per cent of an organisation’s global turnover.

The University will be expected to keep an Internal Breach Register noting all personal / special categories data
breaches
When should we notify the ICO?
We should notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals. The individuals themselves
will also need to be notified in most cases.

Whether to notify or not has to be assessed by the University on a case by case basis, and all staff will be made aware of the University’s
internal breach reporting procedures.

Issues to consider when assessing

Would the breach have a significant detrimental effect on the individuals affected – e.g. result in discrimination, damage to reputation,
financial loss, loss of confidentiality, identify theft or any other significant disadvantage?

The ICO guidance states they would expect the following information to be shared:
◦ The nature of the personal data breach including, where possible the categories and approximate number of individuals concerned; and
◦ the categories and approximate number of personal data records concerned;
◦ The name and contact details of the data protection officer or other contact point where more information can be obtained;
◦ A description of the likely consequences of the personal data breach; and
◦ A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the
measures taken to mitigate any possible adverse effects.
 Staff Responsibilities
Staff (including volunteers working at the University, external members of committees and contractors) have a
responsibility to ensure that personal and special categories data:

◦ is kept on a need to know basis, treated sensitively and disposed of securely;

◦ is not disclosed, orally or in writing, intentionally, or accidentally, to any unauthorised member of staff or external third party

If you need to share personal or special categories data with another member of staff, or with an external third
party, make sure that you have satisfied yourself that they have the right to know the information, and if they have
that you have made them aware of the need for confidentiality.

Don’t hesitate to ask questions e.g. “why do you need it”, “what powers do you have to request it”?

Compliance with data protection legislation is both a personal and an organisational responsibility
 Final thoughts ….. Things to do now
1. Raise awareness of the changes with your colleagues, encourage them to attend training
2. Consider what information you hold, and identify your lawful basis for processing the information
3. Look at your Privacy Notices, and include all the required information
4. Are you set up to be able to deal with the changes to individuals’ rights?
5. Make sure you know who handles subject access requests
6. Do you rely on consent to process information, and if so how will you ensure you comply with the more
stringent requirements? Think about what needs doing both for current information and for the future
7. Do children use your services? Consider what information needs to be provided to them
8. Familiarise yourself with the University’s data breach procedure
9. Data Protection by Design – build this into your processes especially with new technology projects