The General Data Protection Regulation (GDPR) & the Data Protection Act 2018

The General Data Protection Regulation (GDPR) forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018).

The GDPR gives you a right of access to the data which organizations hold about you, and specifies how that data can be gathered, used and disseminated. The regulation governs the collection, retention, and transmission of information held about living individuals and the rights of those individuals to see this information. All departments within the University must be aware of the potentially far-reaching effects of this regulation. Those that record and use personal information are required to follow seven data protection principles.

The GDPR has direct effect across all EU member states. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DPA 2018 is the details of these. It is therefore important the GDPR and the DPA 2018 are read side by side. 

All departments within the University must be aware of the potentially far-reaching effects of this regulation. Those that record and use personal information are required to follow seven data protection principles. In particular, personal data must:

  • be processed fairly and lawfully.
  • be held only for specified and lawful purposes and must not be further processed in any manner incompatible with those purposes.
  • be adequate, relevant and not excessive in relation to the purpose for which it is processed.
  • be accurate and where necessary kept up to date.
  • not be kept for longer than is necessary.
  • be protected using appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of the data.

In addition, the University, who is the Data Controller, must be able to demonstrate accountability and compliance with the regulation. This is known as the seventh principle.

The GDPR also stipulates that personal data must:-

  • not be transferred to a country or a territory outside the EU without an adequate level of protection for the rights and freedoms of data.
  • be processed in accordance with the rights of the data subject under the regulation.

In order to comply with the GDPR, Swansea University has developed a Data Protection Policy to ensure that students and staff fully comply with the requirements of the regulation.