Corporate Governance

Frequently Asked Questions for the General Data Protection Regulation (GDPR)

These FAQs have been produced in response to the information we believe it is helpful for staff and students to know, and in response to questions already asked.

These FAQs will be added to as and when more information becomes available, or when staff ask more questions.

1. What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a new regulation from the European Union dealing with the processing of personal data and the free movement of that data. The GDPR repeals the directive on which the current data protection legislation is based (Directive 95/46/EC) and therefore will repeal the Data Protection Act 1998 itself. As an EU Regulation, this piece of legislation is implemented directly into UK Law.

2. When does it come into effect?

The Regulation came into effect on 25 May 2018, as did the new Data Protection Act 2018 (see FAQ 4 for more detail).

3. Will we still have this Regulation after the UK leaves the EU?

We will still keep this regulation once the UK leaves the EU for two reasons:

i) this Regulation comes into effect before we leave the EU so we need to implement it for the time we are in the EU, and

ii) when the UK is no longer part of the EU it will be necessary for the UK to prove that our standards for processing personal data are at least as good as those throughout the EU, for the remaining countries to be able to transfer data to the UK, without having to meet any further legal obligations. One way of proving the UK data processing standards is to retain the basis of the EU Regulation on which all other Member States are using to regulate data processing.

4. What is the Data Protection Act and how does it differ from the GDPR?

The Data Protection Act 2018 is a further piece of legislation that brings into effect any ‘derogations’ that the UK has from the GDPR. That is, there are several points within the GDPR where individual Member States can determine how the legislation will be implemented in their own country in a way which applies best to their own circumstances, for example, determining that children over the age of 13 (rather than 16 as the GDPR stipulates) can give their own consent when providing details for information society services. The Data Protection Act 2018 has also re-introduced into the legislation parts of the old Data Protection Act 1998 that were not included in the GDPR, such as including criminal conviction data in the definition of special category data, as well as including the detail of the Law Enforcement Directive.

5. What are the main changes in the GDPR?

The main changes in the GDPR are:

i) that the legislation is now technology neutral, so it applies to personal data held in any format whether paper or electronic, held in files, on laptops, phones, cameras, video tapes, audio recordings etc

ii) the definition of Personal Data has changed to include location data and online identifiers

iii) the definition of Sensitive Personal Data has been extended to include genetic and biometric data but only for the purpose of uniquely identifying a living individual.

iv) the term Sensitive Personal Data itself changes to Sensitive Category Data (SCD)

v) that data subject rights are extended and improved

vi) the requirement to know and state – in fair processing notices – the lawful basis for all types of processing of personal and special category data, and for this to be made clear at all times

vii) the introduction of compulsory data breach notification

viii) increased fines for data, and notification, breaches

ix) the requirement for transparency and accountability

x) increased responsibility of data processors for data processing.

6. How does it affect me?

Where our processing of personal data was already compliant with the Data Protection Act 1998 it should not take much to ensure our future processing under the GDPR and the Data Protection Act 2018 is also compliant, so you shouldn’t be affected too much.

If you process any of the data in the extended definitions (in FAQ 5, you will need to make sure that this data is now treated appropriately. We are compiling an information audit so that we know what personal data is being processed, where, why, who will see the data, how long we will process the data for and how we will delete it once it is no longer needed.

Work on this has already started and you may receive a request (if you haven’t already) from staff in the Information Governance team for information about the data you process.

We also need to check the information we give to students and staff about our processing of their personal data, so you will need to check any fair processing notices or information sheets you might use to see if they provide the correct information.

7. What is a fair processing notice?

A ‘fair processing notice’ is the term given to the information that we need to provide to anyone whose personal data we process as part of our work.

The University has two overarching statements – one for students and one for staff – which cover the main processing carried out by the University but if we collect data on a school/departmental level, we need to provide this data to the students at the time we collect their data.

Examples of such processing will be the collection of data for research purposes, organising field trips etc.

The information should be provided in hard copy so that the individuals concerned have a copy of the information, but it may also be worth considering putting some of this information on school / department webpages if the processing is carried out on a regular basis.

8. What are the lawful bases for processing personal data?

Whenever processing personal data, we have to have a legal basis for the processing.

Under the GDPR these will be:

  • that the data subject has given their consent to this processing
  • that the processing is necessary for the performance of a contract involving the data subject
  • the processing is necessary for compliance, by the data controller, with a legal obligation
  • that the processing is necessary in order to protect the vital interests of the data subject or another living individual
  • that the processing is necessary for the performance of a task carried out in the public interest of the data controller
  • that the processing is necessary or the legitimate interests of the data controller (although this legal basis has limited application)

When processing special category data, we also need to have a further lawful basis for processing from the following list:

  • that the data subject has given their explicit consent to the processing
  • that the processing by the data controller is necessary in the field of employment
  • that the processing is necessary to protect the vital interests of the data subject or another living individual, where the data subject is physically or legally incapable of giving consent
  • that the processing relates to personal data that has been made public by the data subject
  • that the processing is necessary for legal reasons
  • that the processing is in the substantial public interest
  • that the processing is necessary for occupational medicine
  • that the processing is necessary for reasons of public interest in the area of public health
  • that the processing is necessary for archiving purposes in the public interest, scientific or historical research or statistical purposes

9. How has the definition of “consent” changed?

The GDPR requires consent to be ‘specific, explicit, informed and freely given’. 

In order for the consent to be ‘specific’, the request for consent must be distinguishable from any other parts of the form. 

Similarly, for the consent to be ‘explicit’ the individual must sign / agree to the request to provide the information separately from any other part of the form. For example, where a student agrees to be part of a research project, they sign once to agree to be part of the research and then sign /agree a second time to the actual data processing that is involved. This consent must be retained for as long as the data to which it refers is held.

Having, and making available, a fair processing notice (see FAQ 7) means that when a person consents to their data being processed, their consent is informed by the information provided in the fair processing notice.

The final element of consent, that it is ‘freely given’, may be the hardest to achieve. If there is any element of the processing of the personal data that cannot be started, or continue without the individual’s consent to it, then the consent cannot be freely given and it will be necessary to find another legal basis for the data processing.

10. What do I need to know about data breach notification?

Under the GDPR data breach notification is now compulsory whereas it was voluntary under the DPA 1998.

The ICO will issue guidelines for when it is necessary to report a breach (similar to those in existence under the DPA, but the GDPR requires that the data controller shall report a data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

The University has a Data Breach Notification policy and a form on which to report a data breach as necessary.

11. How much are the new fines under the GDPR?

There are two categories of fines that can be imposed under the GDPR:

  1. Failure to comply with obligations set out in the legislation for a data controller or data processor as well as failing to comply with certification or monitoring body obligations, will attract fines of up to 2% of annual turnover or €10m whichever is the greatest.
  2. Failure to comply with the data protection principles, failure to comply with the necessary conditions for consent, failure to comply with the rights of data subjects, non-compliance with an order of the ICO and having non-compliant overseas transfers, as well as a failure to carry out a privacy impact assessment, will attract fines of up to 4% of annual turnover or €20m whichever is the greatest.

The Information Commissioner’s Office (ICO) has stated that these higher fines will be used only in extreme situations and that it prefers to educate and change practice, rather than to fine organisations.

12. What is a Privacy Impact Assessment (PIA)?

A Privacy Impact Assessment, also known as a Data Protection Impact Assessment, is a form of (risk) assessment that identifies whether the proposed processing of personal or special category data might have an adverse impact on the privacy of the individual(s) whose data is being processed and if so, the steps that can be taken to remove or minimise the risk to the individual.

13. When should we carry out a Privacy Impact Assessment (PIA)?

The GDPR requires that an Impact Assessment should be carried out whenever new technologies for processing are to be used, where automated processing is involved, where there is a high risk to privacy involved in the processing, where profiling takes place, and where large amounts of sensitive personal data is being processed.

14. I’ve heard the phrase ‘Privacy by Design’ – what does it mean?

‘Privacy by Design’ is another term for ‘Data Protection by Design’, and refers to the action of determining the minimum personal data required to carry out the necessary processing. By processing only the minimum personal data required, we are maintaining an individual’s privacy (protecting data).

15. What are the new “data subject rights”?

The full list of data subjects’ rights are:

  • The right to be informed via Fair Processing Notices
  • The right of access – known as Subject Access Requests
  • The right to rectification of data
  • The right to be forgotten*
  • The right to restrict processing
  • The right to data portability*
  • The right to object to processing
  • Rights in relation to automated making and profiling

* The right to be forgotten and the right to data portability are the only ‘new’ rights under the GDPR and even the right to be forgotten was available under some circumstances under the Data Protection Act 1998.

The right of data portability is only available where the personal data is processed with the consent of the data subject, not where the personal data has been collected using any of the other legal basis for processing.

16. What is the difference between a data controller and a data processor?

A Data Controller is the body / organisation that determines the purposes and means of processing personal data.

A Data Processor is a third party which processes personal data on behalf of, and in line with instructions from, the Data Controller and for no reasons of its own.

The significance of this is the new responsibilities of a data processor under the GDPR (se FAQ 17 for more detail).

17. What are the contractual responsibilities of a data processor?

Under the GDPR a data processor must provide guarantees to implement measures to ensure compliance with the GDPR, including security for the data they process, ensuring staff are compliant with confidentiality requirements, and only employing sub-processors with the agreement of the data controller. The data processor must comply with any data breach notification requirements set out by the data controller. Any data breach fines can now be imposed on a data processor as well as a data controller. 

This information must be included in any new contracts set up with, and brought to the attention of, data processors employed by the University.

18. Where can I get more information about the GDPR?

More information about the GDPR (and what it will mean for the University) can be found on:

i) the University Corporate Governance pages

ii) from the Information Commissioner’s Office webpages

iii) from the Information Governance team on ext 3642 or by email at