The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) gives you a right of access to the data which organizations hold about you, and specifies how that data can be gathered, used and disseminated. The regulation governs the collection, retention, and transmission of information held about living individuals and the rights of those individuals to see this information. All departments within the University must be aware of the potentially far-reaching effects of this regulation. Those that record and use personal information are required to follow seven data protection principles. In particular, personal data must:

  • be processed fairly and lawfully.
  • be held only for specified and lawful purposes and must not be further processed in any manner incompatible with those purposes.
  • be adequate, relevant and not excessive in relation to the purpose for which it is processed.
  • be accurate and where necessary kept up to date.
  • not be kept for longer than is necessary.
  • be protected using appropriate technical and organisational measures against unauthorised or unlawful processing and against accidental loss or destruction of the data.

In addition, the University, who is the Data Controller, must be able to demonstrate accountability and compliance with the regulation. This is known as the seventh principle.

Like the Data Protection Act 1998, the GDPR also stipulates that personal data must:-

  • not be transferred to a country or a territory outside the EU without an adequate level of protection for the rights and freedoms of data.
  • be processed in accordance with the rights of the data subject under the regulation.

In order to comply with the GDPR, Swansea University has developed a Data Protection Policy to ensure that students and staff fully comply with the requirements of the regulation.