The General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) - Are You Ready?


The Data Protection Act 1998 will be replaced by the General Data Protection Regulation (GDPR) on the 25th May 2018. Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), however new elements and significant enhancements, so some things will be new and other things will need to be done differently. The major shift with the implementation of the GDPR will be in giving people greater control over their data. 


Key changes include: new rules around consent, more informative privacy notices, mandatory data breach notification, increased fines, new or expanded rights for data subjects, wider territorial scope and the introduction of an accountability principle making some measures that were previously recommended as being good practice now legally required in certain circumstances e.g. conducting privacy impact assessments and incorporating data protection by design into projects, maintaining detailed internal records of processing activities , and ensuring that any third party data processing is done under contract in line with the requirements of the GDPR.

GDPR Key Changes

The Right to be Informed

One of the major motivations of the GDPR is to extend the rights of individuals. All rights must, by and large, be responded to within one month. Data Subjects have eight new or extended rights.

The right to be informed is one of the extended rights under the GDPR. Privacy Notices, and other documentation, will need to be updated to ensure that it is easy to understand for individuals who need to use them. For information being processed by the University that is directly obtained from the individual, they should be told at the time the information is obtained:

  • The identity and contact details of the data controller and their Data Protection Officer (DPO).
  • The purpose and legal basis for the processing.
  • The legitimate interests of the controller (or third party, where necessary)
  • Who will receive the information.
  • Any transfers to third countries and the safeguards in place.
  • For how long the information will be retained.
  • That they have rights under the GDPR and what they are.
  • That they have the right to withdraw consent at any point.
  • That they can complain to the ICO.
  • If the sharing of information is part of a legal requirement, and the possible consequences of not doing so.
  • Of any automated decision making used on them.

Privacy Notice Guidance Template

Link to ICO Guidance 

New or Extended Rights

One of the major motivations of the GDPR is to extend the rights of individuals. All rights must, by and large, be responded to within one month. Data Subjects have eight new or extended rights:

1) The right to be informed – see previous section

2) The right of access. Generally known as Subject Access Requests (SAR), these were equally available under the Data Protection Act 1998 (DPA), but some of the rules have changed.

The most significant changes to SAR processes are that:

  • Removal of the £10 subject access fee - unless the request is unfounded, excessive or repetitive. 
  • Requests must be dealt with within one month of receipt - this is a significant reduction from the current 40 day timescale.

3) The right to rectification. If personal data is identified as being inaccurate or incomplete individuals have the right for it to be rectified within one month. This extends to where any third parties have had a Data Subject’s information shared with them.

4) The right to erasure. This is often known as the right to be forgotten that can be summarised as the right to have personal data removed or deleted within one month if there is no compelling reason for it being processed. The ICO is keen to stress that this is not an absolute right to be forgotten and can only happen in certain situations, for example:-

  • When the data is no longer needed for the reason it was originally collected.
  • The Data Subject withdraws consent.
  • The Data Subject objects to processing and there is no continued legitimate reason to continue processing.
  • The processing is illegal.
  • It is required to be erased for legal reasons.
  • It is processed in relation to offer or information society services to children.

The threshold for erasure under the DPA, that the processing would cause unwarranted and substantial damage or distress, has been removed under the GDPR. There are, however, some scenarios in which it is possible to refuse a request:

  • The exercise of the right of freedom of expression and information.
  • In complying with a legal obligation.
  • For public health purposes.
  • Archiving in the public interest, statistical purposes and historical or scientific research.
  • To defend a legal claim.

If data is to be erased and it has been disclosed to a Third Party, unless it would cause disproportionate effort to do so you must also inform them of its disclosure.

5) The right to restrict processing. As with the Data Protection Act, individuals may restrict processing, which largely means an organisation can hold just enough personal data about them, but not process it any further. This can include scenarios such as:

  • A Data Subject contests the accuracy of the data, until the accuracy is confirmed.
  • Where the Data Subject has contested the processing and the organisation is considering if its legitimate interests override this.
  • When the processing is illegal.
  • If you the organisation no longer requires the personal data, but the individual needs it to defend a legal claim.

If processing is to be restricted and it has been disclosed to a Third Party, unless it would cause disproportionate effort to do so you must also inform them of the restriction.

6) The right to data portability. This allows individuals to obtain and reuse (i.e. move, copy and transfer) their information across different services free of charge within one month of the request being made. This applies to personal data held by the Data Controller, where the processing is undertaken with Consent or for the performance of a contract, and when it is carried out by automatic means.

7) The right to object. Individuals have the right to object to:-

  • Processing based on legitimate interests or use of their information in either the public interest or by an official authority exercising its rights, which includes profiling. Processing must stop unless:
    • The University can demonstrate a compelling reason to continue, which outweigh those of the Data Subject
    • It concerns a legal claim.
  • Processing for scientific or historical research and statistics. Decisions must similarly be based on the data subjects particularly situation. Where the processing is necessary in the public interest, the Data Controller is not required to comply.
  • Direct marketing, again including profiling. Such a request must be actioned immediately upon its receipt, and dealt with free of charge.

8) Rights in relation to automated decision making and profiling. This specifically offers safeguards to damaging decisions being taken about an individual by many electronic means, i.e. by computers. If this is the case, individuals have a right to get human intervention, give their own view, have the decision explained to them, and challenge that decision if they are not happy with it.

With regard to profiling, this is any processing used to judge an individual’s performance at work, economic situation, health, personal preferences, reliability, behaviour, location or movements. Such activity requires precautions including appropriate Privacy Notices, statistical procedures and information security processes, as well as robust procedures to prevent errors.

Data Protection by Design and Privacy Impact Assessments

The introduction of the new accountability principle under the GDPR requires organisations to understand the risks you create, mitigate them and be able to demonstrate that you comply. Some measures that were previously recommended as being good practice are now legally required – these include data protection by design and privacy impact assessments.

Data protection by design – when designing a new system, process or service, organisations will need to show that they have considered and integrated data protection into their processing activities from the initial stages of the design process. It is mandatory requirement to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example:-

  • building new IT systems for storing or accessing personal data;
  • developing legislation, policy or strategies that have privacy implications;
  • embarking on a data sharing initiative; or
  • using data for new purposes.

Ways to support the evidencing of data protection by design would include:-

  • Documenting any strategies and controls that have already been deployed
  • Involving the organisation’s Data Protection Officer to help rank and order risk mitigation.
  • Ensuring security / system providers demonstrate that they are compliant.
  • Applying the ICOs current guidance on Privacy Impact Assessments / DPIAs through all parts of the organisation.
  • Creating privacy impact assessment documentation and processes.

Taking a privacy by design approach is an essential tool in minimising privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits which include:-

  • Potential problems are identified at an early stage, when addressing them will often be simpler and less costly.
  • Increased awareness of privacy and data protection across an organisation. 
  • Organisations are more likely to meet their legal obligations and less likely to breach the Data Protection Act.
  • Actions are less likely to be privacy intrusive and have a negative impact on individuals. 

Privacy Impact Assessments (PIA) – a tool for organisations to use to identify effective ways to comply with the GDPR obligations. The Information Commissioner’s Office (ICO) will expect to see data protection by design demonstrated by use of a Privacy Impact Assessment or Data Protection Impact Assessment (DPIA). A privacy impact assessment is mandatory when:-

  • Using new technology - can trigger the need to carry out a privacy impact assessment as it can involve novel forms of data collection and usage, possible with high risk to individual’s rights and freedoms.
  • Where the processing is likely to result in a high risk to the rights and freedoms of individuals. High risk processing will include:
  • Evaluation or scoring, including profiling and predicting, especially from ‘aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements’. An example would be where an organisation builds behavioural or marketing profiles based on usage or navigation of its website. 
  • Automated-decision making with legal or similar significant effect. Examples of this would be where processing may lead to the exclusion or discrimination against individuals. 
  • Systematic monitoring – processing used to observe, monitor or control data subjects e.g. CCTV
  • Special categories of data or sensitive personal data – e.g. patient medical records in a hospital or a personal data relating to criminal convictions. This refers mainly to processing sensitive personal data on a large scale where there is increased possible risk to rights and freedoms of individuals. An organisation organising a corporate event collecting data on guest allergies is processing sensitive personal data however would not need to perform a PIA. 
  • Data processed on a large scale – this would depend on number of data subjects, volume of data, duration of processing activity and geographical extent of the processing activity.
  • Data concerning vulnerable data subjects.
  • Data transfer across borders outside the European Union.

If it is not clear whether a PIA is mandatory, or if you are processing sensitive personal data, you may want to consider conducting a PIA in any event – remember it is a way to demonstrate compliance under the GDPR. For details on conducting a PIA contact Bev Buckley on x6281 or email

Data Breach Notification

Work in Progress - please contact Bev Buckley on x6281 for further information

The New Fine Regime

To be updated - please contact Bev Buckley on x6281 for further information


To be updated - please contact Bev Buckley on x6281 for further information

Record of Processing Activities

To be updated - please contact Bev Buckley on x6281 for further information

International Transfers

To be updated - please contact Bev Buckley on x6281 for further information