The above Podbriefing provides a summary of the General Data Protection Regulation (GDPR), which will replace current data protection legislation, on 25 May 2018.
This GDPR Podbriefing supplements the University's Data Protection Act Policy, a link to which can be found here and to the right of this page. Additionally, this Podbriefing builds on the earlier Data Protection Podbriefing, introducing updates and changes, especially in regards to the use of personal data.
Content and Aims
This Podbriefing is presented by Geraldine Swanton, a practising lawyer who specialises in data protection within the education sector, and focuses on the General Data Protection Regulation (GDPR), which will provide a wide range of updates to the existing law on data protection.
As the previous data protection legislation is now outdated, the GDPR has been designed to bring the law into line with the way data is currently processed and used.
The General Data Protection Regulation (GDPR)
Universities process huge amounts of data, which means that the changes brought by the GDPR will have a notable impact on the day to day activities of staff members within the University of Nottingham.
Within this context, the Podbriefing explains the main points covered by the GDPR, including:
- Principles for processing personal data
- The extended jurisdiction of the data protection regime
- A much higher standard for consent as a justification for the processing of an individual's personal data
- The concept of data protection by design and default
Under the GDPR the University can be fined up to 2% of total worldwide turnover or €10 million (whichever is greater) for non-compliance with the GDPR under areas such as record keeping, data processor contracts, or for the failure to maintain data protection by design and default.
Larger fines of 4% of total worldwide turnover or €20 million (whichever is greater) can be applied for breach of the GDPR in regards to the data protection principles, a failure to discharge individual's rights, or for the transfer of data to third countries or international organisations without adequate protection.
For up to date examples of the penalties issued for breaches of the Data Protection Act, and information on how these are calculated, see the website for the Information Commissioner's Office.