General Data Protection Regulation - FAQ
The General Data Protection Regulation (GDPR) is a new, European-wide law that replaces the Data Protection Act 1998 (DPA) in the UK. It places greater obligations on how all organisations, including universities, handle “personal data”. It must be implemented in the UK by 25 May 2018.
The GDPR is an evolution of the existing law and so many of the GDPR’s concepts and principles are similar to those in the DPA, however there are new elements which require additional documentation to be produced and kept by the University to enhance transparency.
GDPR is going to affect every part of the University. We need data protection to be at the forefront of your mind. Everyone has a responsibility to determine how they will be affected by GDPR and the steps they need to take to ensure the University’s compliance.
What should you do now?
Please read the rest of these FAQs which have been designed to take you through the key concepts of the GDPR and the documents which we need you to complete in order to ensure that the university is compliant with the GDPR by 25 May.
What is personal data?
It is any information relating to an identified or identifiable living person (known as a ‘data subject’).
Example of personal data include contact details, health data, national insurance number etc.
What does "identifiable" mean?
Names are not necessarily required in order to identify an individual; simply because you do not know the name of an individual does not mean that you cannot identify them. Similarly, a name by itself may not always be personal data, particularly if that name is particularly common e.g. John Smith. Factors other than a person’s name may reveal information about them e.g. social, cultural, genetic, physical, an ID number, biometric data. Context may also reveal information about an individual. Where a name is combined with other information, such as an address, a physical description or a job title, this is likely to clearly identify one individual.
If you learn something about an individual from text, it is personal data regulated by the GDPR.
What are the "special categories" of personal data?
This was called "sensitive" personal data under the DPA. Stricter conditions apply to the processing (use) of this data. It is information relating to:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data for the purposes of uniquely identifying a person;
- data concerning health; or
- data concerning a natural person's sex life or sexual orientation.
The six principles of data protection
All the aims and objectives of the Eight Principles of the DPA are addressed by GDPR, but only six are specifically references as two more (Data Subject Rights and Data Transfers) are covered by other parts of the GDPR.
The Principles are as follows:
1. The Lawfulness, Fairness and Transparency Principle
This means personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. Transparency and fairness is achieved via your privacy notices, which are explained in greater detail in the “Fair Processing?” FAQs.
2. The Purpose Limitation Principle
This means personal data should only be collected for a specified, explicit and legitimate purpose and not be further processed in a manner that is incompatible with those purposes. You should specify the purpose in your privacy notice.
3. The Data Minimisation Principle
This means personal data should be limited to what is necessary in relation to the purpose for they are being processed, e.g. if you are only sending an e-newsletter, you will probably only need an individual’s name and email address.
4. The Accuracy Principle
This means that you should take reasonable steps to keep personal data up to date and ensure that personal data that is inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay.
5. The Storage Limitation Principle
This means personal data should be kept in a form which permits identification of data subjects for no longer than is necessary. This means you should decide how long it is necessary to retain information give the purposes that it was collected for and securely delete information when it is no longer needed for those purposes.
6. The Integrity and Confidentiality Principle
This means personal data should be processed in a manner that ensures appropriate security of that personal data, such as protection against unauthorised processing, accidental loss, destruction or damage.
You should be guided by these principles when you process personal data.
What is "processing"?
Processing is anything that can be done to personal data from its creation to its destruction and everything in between (e.g. obtaining, disclosing, amending, storing, deleting) whether or not by automated means.
What is fair processing and why is it important?
The first principle of the GDPR requires that you process all personal data lawfully, fairly and in a transparent manner. Processing is only lawful if you have a lawful basis as prescribed by the GDPR and you must be able to show that a lawful basis applies.
So what has changed from the Data Protection Act 1998?
The requirement to have a lawful basis in order to process personal data is not new. The six lawful bases for processing are broadly similar to the old conditions for processing, although there are some differences. You now need to review your existing processing, identify the most appropriate lawful basis, and check that it applies.
You can choose a new lawful basis if you find that your old condition for processing is no longer appropriate under the GDPR, or decide that a different basis is more appropriate.
What are the lawful bases?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose. Consent must be unambiguous and it means genuine choice and control. Because consent can be withdrawn at any time, you should only rely on consent if no other basis applies.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract, e.g. monitoring academic performance is necessary to perform the tuition contract with students.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations), e.g. providing information when requested to do so by regulatory bodies, disclosing information in response to a court order.
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks. You can rely on it for private tasks e.g. marketing.)
What does "necessary" mean in the context of the lawful bases?
This means it must be a targeted and proportionate way of achieving the purpose. The lawful basis will not apply if you can reasonably achieve the purpose by some other less intrusive means.
How should you decide which lawful basis applies?
This depends on your specific purposes and the context of the processing. You should consider which lawful basis best fits the circumstances. You might consider that more than one basis applies, in which case you should identify and document all of them from the start.
For example, the University might rely on a mixture of legitimate interests and consent for alumni relations and fundraising purposes.
How do we document our lawful basis (privacy notices)?
The University is required to issue privacy notices to individuals, which identify, amongst other information, the lawful basis for processing. You will also need to include other information in your privacy notice including the purposes for which you have obtained the personal data, the categories of recipient of that data (internal and external), the retention period, any overseas transfers and the individual’s rights. Additional information needs to be provided when you receive personal data indirectly form a third party, e.g. the categories of personal data you hold and the source.
What happens if circumstances change?
If your purposes change over time or you have a new purpose which you did not originally anticipate, you may not need a new lawful basis as long as your new purpose is compatible with the original purpose.
However, the GDPR specifically says this does not apply to processing based on consent. You need to either get fresh consent which specifically covers the new purpose, or find a different basis for the new purpose.
When can I process special categories of personal data?
If you are processing special category data, you need to identify both a lawful basis for processing and an additional special category condition for processing set out in the GDPR. You should document both your lawful basis for processing and your special category condition so that you can demonstrate compliance and accountability.
Those bases include:
- explicit consent,
- employment law,
- vital interests,
- information made public by the individual,
- legal claims,
- substantial public interest,
- preventative/occupational medical purposes,
- public health,
- research, provided there are safeguards and it is the public interest
If you are processing data about criminal convictions, criminal offences or related security measures, you also need both a lawful basis for processing, which are set out in the Data Protection Act 2018 (currently a Bill going through parliament) and which are similar to the bases above.
You should document both your lawful basis for processing and your criminal offence data condition so that you can demonstrate compliance and accountability.
If no lawful basis applies to your processing, your processing will be in breach of the GDPR.
What should you do now?
You will need to produce a privacy notice to let individuals know what data you will be processing and the basis for doing so. We have produced a skeleton template, with accompanying guidance notes, which we can share with you to help you do this.
Processor v Controller
What is a Controller?
A Controller is the natural or legal person (i.e. the University), public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.
What is a Joint Controller?
Where two or more controllers jointly determine the purposes and means of processing. The GDPR requires the joint controllers to enter into “an arrangement” that reflects their roles and relationships toward the data subjects. Whilst the word “arrangement” rather than contract is used, the reality is that this is likely to be done by way of a written data sharing agreement. Examples of joint controllers are the University and the Students’ Union, and the University and research students.
What is a Processor?
A Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller. Therefore, it is the Controller who engages the Processor. Examples include outsourced services such as organisations which conduct surveys of behalf the University, cloud services or translation services.
Why is this distinction important?
Controllers and Processors have different responsibilities and obligations, so it is important to know which one you are so that you know what you are responsible for.
Controllers are responsible for most aspects of compliance with the GDPR even when engaging a Processor to process personal data on their behalf.
Processors act only under the instructions of Controllers. They must keep personal data secure from unauthorised access, loss or destruction. If a Processor processes personal data, other than in accordance with the Controller’s instructions, they become a Controller.
Both the Controller and the Processor can be investigated by the ICO and fined.
Both the Controller and the Processor can be sued by the data subject and both can be held liable for the full amount of the damages.
Relationship between Controller and Processor?
Controllers are liable for compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. A Controller must only use a Processor providing sufficient guarantees that it has appropriate technical and organisational measure in place in respect of data protection. This means that you should conduct a due diligence exercise on any prospective service providers who may be acting as a Processor for you.
Processing must be governed by a written contract.
Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.
What does this written contract with Processors need to contain?
Contracts must set out as a minimum:
- the subject matter and duration of the processing;
- the nature and purpose of the processing;
- the type of personal data and categories of data subject; and
- the obligations and rights of the controller.
Contracts must also include as a minimum the following terms, requiring the processor to:
- only act on the written instructions of the controller;
- ensure that people processing the data are subject to a duty of confidence;
- take appropriate measures to ensure the security of processing;
- only engage sub-processors with the prior consent of the controller and under a written contract;
- assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- delete or return all personal data to the controller as requested at the end of the contract; and
- submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
In the future, standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However at the moment no standard clauses have been drafted.
Any contracts in place with Processors on 25 May 2018 will need to meet the new GDPR requirements.
What should you do now?
You should therefore check your existing contracts with Processors to make sure they contain all the required elements. If they do not, you should get new contracts drafted and signed. You should review all template contracts you use.
International Data Transfers
What do we mean when we refer to an international transfer of personal data?
Personal data is considered to be transferred internationally when:
- It is physically transferred across a border; or
- It is accessed across borders.
Which borders should we be concerned about?
Transfers of personal data are not restricted within the EU.
Transfers to other countries are prohibited unless such country provides “an adequate level of data protection” as determined by the European Commission or unless certain other conditions are fulfilled.
Which countries outside the EU are considered adequate?
The list is constantly being updated, but currently contains the following:
Isle of Man
US - if the company is signed up to Privacy Shield - you can go on privacyshield.gov to check this.
- Use of EU-approved Model Contracts between the Data Exporter and Data Importer
- Binding Corporate Rules
- Codes of Conduct and Certification – an external Controller or Processor may commit to a scheme approved at EU level.
If none of these options applies, you can transfer the personal data if:
- you have the individual’s explicit consent;
- the transfer is a necessary to enter into or perform a contract perform with the individual (e.g to provide a mandatory overseas placement);
- the transfer is a necessary to enter into or perform a contract perform with another person/organisation for the benefit the individual (e.g. when the University takes out local insurance for students on overseas field trips); or
- the transfer is necessary for legal proceedings/advice.
(This is not exhaustive).
What should you do now?
Consider whether any of your arrangements necessitate the international transfer of personal data. If so:
- Is that country considered adequate?
- If not, is there a contractual safeguard is in place?
- If not, can you rely on consent, contractual necessity etc.?
This should also be set out in your privacy notice.
Demystifying Data Protection Impact Assessments (DPIAs)
What is a DPIA?
DPIAs (also known as privacy impact assessments or PIAs) is an assessment that is undertaken to identify potential areas of non-compliance and minimise risk.
The ICO has promoted the use of DPIAs as an integral part of taking a privacy-by-design approach (see separate FAQ).
When do you need to conduct a DPIA?
You must carry out a DPIA when:
- using new technologies; and
- the processing is likely to result in a high risk to the rights and freedoms of individuals.
Some data-analytics technologies which monitor students’ access to learning resources in tandem with their academic performance may qualify for a DPIA.
What information should the DPIA contain?
- A description of the processing activity and the purposes, including, where applicable, the legitimate interests pursued by the University.
- An assessment of the necessity and proportionality of the processing in relation to the purpose.
- An assessment of the risks to individuals.
- The measures in place to address risk, including security and to demonstrate that you comply.
- The formal advice of the DPO.
The way a DPIA is conducted will depend on the proposed processing activity.
What to do following the DPIA?
If unmitigated risk is identified, the University must notify the ICO.
Failure to adequately conduct a DPIA where appropriate is a breach of the GDPR and could lead to fines of up to 2% of an organisation's annual global turnover or €10 million – whichever is greater.
What should you do now?
This is only applicable from 25 May and is not historical. A DPIA should be undertaken before beginning any new “high-risk” processing activity, for example processing sensitive data or profiling activities.
Data protection by design and default
This is both an institutional and an individual responsibility.
What is privacy by design?
Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
The University is required to implement appropriate technical and organisational measures to ensure data protection principles such as data minimisation are met.
What are appropriate technical and organisational measures?
Article 32 of the GDPR gives examples of "appropriate measures", as follows:
- Pseudonymisation, i.e using personal data in a way that minimises the opportunity for identifying individual e.g. by using ID codes;
- The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluation the effectiveness of technical and organisational measures for ensuring the security of processing.
What is privacy by default?
The University must ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed. It relates to the amount of personal data collected, the extent of the processing, the retention period and who has access to it. In particular, personal data should not automatically be made accessible to an indefinite number of people without the individual’s intervention. By way of practical example: counselling records should be held on separate part of the University system and accessible only to relevant members of the counselling team.
The University must only process data to an extent that is necessary, and must only store data as long as necessary.
The statutory fine for a breach of this element of the GDPR up to EUR 10,000,000, or up to 2% of annual worldwide turnover, whichever is higher.
What should you do now?
It is, therefore, important to regularly assess privacy compliance, by, for example, conducting regular Data Privacy Impact Assessments (DPIAs).
The practical steps that need to be taken will depend on the likelihood and severity of the risks to privacy, the state of the art and the costs of implementation.
What is a data breach?
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Some examples include:
- loss or theft of data or equipment on which data is stored, such as memory sticks and laptops;
- inappropriate access controls allowing unauthorised use, i.e. giving staff members access to all data;
- equipment failure;
- human error;
- hacking attacks; and
- inadvertent disclosure.
How can I prevent data breaches?
Complying with the requirements for privacy by design and default and conducting DPIAs where appropriate will help to prevent personal data breaches.
What should I do if a data breach occurs?
There is an obligation to notify the appropriate Supervisory Authority, where feasible, within 72 hours unless the breach is unlikely to result in risk to individuals.
There is a requirement to notify individuals if the breach is likely to result in a high risk to them.
Therefore, please notify the University’s Data Protection Team as soon as you become aware of a data breach, no matter how small.
The penalties for data breaches have increased significantly under the GDPR and so it more important than ever for everyone to be taking appropriate security measures and report any security breaches.
For (mainly) a breach of record keeping, contracting and security clause:
- Maximum fine of up to 10 million euros or 2% or annual worldwide turnover, whichever is greater.
For (mainly) a breach of basic principles, data subject rights, transfer to third countries:
- Maximum fine of up to 20 million euros or 4% or annual worldwide turnover, whichever is greater.
What should you do now?
There is no need to do anything now, but it is important that you are quick and reactive in the event of a suspected data breach. The level of fine will depend on any remedial action University takes and its willingness to co-operate with the ICO.
Contracts - what do I need to consider?
For which contracts do I need to think about GDPR?
You need to consider GDPR when negotiating any contracts which involve the sharing of personal data between the parties.
Do I need to think about this now in relation to the contracts I am negotiating now or can I wait until after 25 May 2018 (the implementation date)?
If the contract will still be in force following 25 May 2018, you need to think about GDPR now. Otherwise, you will need to re-negotiate the data protection provisions following that date as you may be in breach.
What do I need to think about?
The type of clauses that you will need to add to the contract will depend on the relationship between the contracting parties.
They could be:
- Controller to Controller
- Controller to Processor
- Processor to Sub-Processor
As we mentioned in the FAQs “Controller vs Processor”, the GDPR requires very specific provisions to be included in a written contract between a Controller and a Processor.
How can you help me?
Most contracts will already include clauses which address data protection issues; even if these are simply to codify that each party will comply with their respective obligations under the current Data Protection Act and the Privacy and Electronic Communications Regulations. However, it is highly likely that many contracts at the time they were completed would not have made provision for the possibility of the DPA being superseded, never mind the requirements of GDPR.
What should I do now?
It is vital that you review your existing contracts which will still be live by the time the GDPR is in force and check the data protection clauses within them. It is highly likely the clauses within these contracts will need to be updated to ensure that the data protection obligations reflect the GDPR requirements.
Equally, any contracts currently being negotiated should contain provisions which incorporate the GDPR. Otherwise, you run the risk of breaching the GDPR as soon as it applies.
Information Asset Register and Records of Processing
What is an Information Asset Register
An Information Asset Register or IAR is a record of all of the personal data stores that the University holds, as well as key stores of non-personal data.
- helps the University meet its obligation under the GDPR to have a good understanding of personal information it holds;
- allows the University to answer subject access requests more quickly;
- informs policy creation and process updates; and
- allows the University to identify and manage any risks to personal data that it holds.
What should I do now?
Please visit the GDPR workspace pages for the template information asset return and guidance.