General Data Protection Regulation (GDPR)

New Data Protection Legislation comes into force 

The new General Data Protection Regulation (GDPR), designed to protect individual personal data, becomes law on 25 May 2018.  Therefore, we all need to take stock of how we deal with any personal data as there is a much greater requirement on us as an organisation, and as individuals, to look after other people’s personal data. The recent substantial fine (£120k) levied by the Information Commissioners’ Office to the University of Greenwich, for the serious breach in releasing student information, is a lesson for all Higher Education Providers. 

GDPR is European legislation. It has been adopted by the UK, despite the vote to leave the EU, to allow the UK to take advantage of the Digital Single Market. The harmonising and strengthening of data protection rules is a major part of the EU’s ambition to grow its digital economy, making better use of innovative services such as big data and cloud computing. Understandably, the UK also needs to be in a position to be part of this economic development. 

The importance of this new legislation is signalled by the considerable increase in the maximum financial penalty, which can be levied for a breach, from £500k to around £17 million. One of the most significant changes relates to the requirement for consent to be given by individuals for their personal data to be used. For example, for direct marketing you must be asked if you wish to receive marketing materials by ‘opting in’, rather than having to ‘opt out’, and there’s also a requirement that personal data is not held for any longer than is necessary. 

The changes brought about by the GDPR require us to be more conscientious about the way in which we process personal data, putting the rights of individuals at the heart of what we do, and being more transparent about how we use that data. 

Please do stop and think about how you manage personal data. For more information on GDPR, please read our GDPR overview and guidance document or visit the website of the Information Commissioner’s Office. Alternatively, HR are currently running GDPR Overview sessions which can be booked through Employee Self-Service. 

Further updates will follow in due course.