The UK General Data Protection Regulation (UK GDPR) is the post-Brexit version of the EU data protection legislation introduced in 2018. It is complimented by the Data Protection Act 2018. UK GDPR introduced greater protections for how personal data is used and stored.
Compliance is crucial due to the impact personal data processing can have upon people's lives. UK GDPR revises and enhances the requirements on organisations to consider data protection and accountability, providing individuals new rights over how their data is used. You can find out more about how we use your data and your rights here.
The University of Nottingham needs to ensure its systems and processes are compliant with the regulation and meet the inherent privacy by design and accountability principle concepts. Financial penalties under UK GDPR can be significant - up to 4% of global annual turnover or £17.5 million - and reputational damage from adverse publicity can be very damaging, so ensuring compliance is vital and the responsibility of all staff.
What is the University doing?
The University holds a central record of all personal data processing activities, and has appointed a Data Protection Officer (DPO), Mrs Tracy Landon, who has obligations to scrutinise legislative and process compliance. Additional benefits from achieving compliance to include streamlining information handling processes (FOI and Subject Access Requests), greater data storage centralisation, increased security of data processing and fewer complaints.
The University has an oversight group the Information Management and Security Steering Committee.
It is anticipated some business areas will be impacted by UK GDPR more than others, especially those with a marketing and/or outreach remit, hence efforts have been ongoing for some time to accommodate these particular needs. Importantly, the responsibility to report any personal data incident falls on any staff member (including contractors) who becomes aware of one. The GDPR podcast briefing for staff is available here. We would recommend that all staff dealing with staff and/or student personal information watch the video.
There are extensive resources including guidance and training available for staff on the internal Information Security and Compliance Team intranet site here.
The team also conducts regular Information Compliance training, which can be booked via Central Short Courses here.
Any school or department can request training from the Information Compliance Team on any aspect of data protection compliance, including GDPR. We are happy to tailor content to need.
A copy of the General Data Protection Regulation is available from EUR-Lex, the official source for European Legislation here and you can read our GDPR compliant Data Protection Policy here