Please note that all of the University's data protection webpages have now been rewritten to reflect the provisions of the General Data Protection Regulation, which following Brexit is now known as the UK GDPR. This standalone page about the University's GDPR preparations in 2017-2018 is being retained for reference but staff should consult the data protection overview page for up-to-date information about, and links to, a wider range of resources. |
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) is a new data protection law that applies in the UK and the rest of the EU from 25 May 2018 and replaces the Data Protection Act 1998 (DPA 1998). The law applies to organisations in all sectors, both public and private. Like the DPA 1998, it is regulated in the UK by the Information Commissioner’s Office (ICO). It applies in the UK despite and beyond Brexit. Individual EU Member States can introduce certain additional provisions to, and exemptions from, the GDPR. The UK Government has implemented these (plus other related measures, such as the regulatory powers of the ICO) by way of a new Data Protection Act 2018.
Is it similar to the Data Protection Act 1998?
Like the DPA 1998, the GDPR sets out rules and standards for an organisation’s use of information relating to living identifiable individuals. It doesn’t apply to anonymous information or to information about the deceased. The GDPR’s rules and standards are based around the existing DPA 1998 concepts of data protection principles and individual rights.
So what’s new?
The GDPR has been designed to harmonise and strengthen data protection law and practice across the EU. While allowing for an element of risk-based implementation, the GDPR is substantially more prescriptive than the DPA 1998 in describing how organisations should implement the principles and uphold the rights of individuals – and how they should demonstrate that they are doing so.
What are the new prescriptive requirements?
In short, there are changes to the following:
-
The existing data protection principles have been reinforced and an accountability principle has been introduced.
-
The legal bases under which organisations can use an individual’s personal data have been subtly changed, and the conditions under which an individual's consent can be valid are more stringent.
-
Much more detailed information needs to be supplied to individuals about how their personal data is used (via what are usually termed 'privacy notices').
-
Individuals can exercise their rights for free. The GDPR both boosts existing rights (e.g. the right to access the personal data or the right to have inaccurate data corrected) and introduces new ones (e.g. the right to be forgotten).
-
Organisations are required to promote a culture of ‘privacy by design and default’ through measures such as Data Protection Impact Assessments, security assessments, the maintenance of registers setting out how personal data is used, and mandatory terms in legal agreements with other organisations with whom data is shared.
-
Certain types of personal data breach must be notified to the ICO within 72 hours, as well as to the affected individuals.
The changes will have a wide-ranging impact on how all organisations, including the University, can hold and use information about living identifiable individuals.
What are the penalties if something goes wrong?
The maximum fine that the University could receive for a breach of the DPA 1998 is £500,000; under the GDPR this is increased to €20m, or 4% of annual turnover (whichever is higher). It is accordingly even more important to make a collective effort to ensure that we handle personal data securely, carefully and in line with what individuals have been told.
What is the University doing about GDPR?
The University has established a GDPR Data Protection Working Group, chaired by the Registrary, to work on and oversee the University’s preparations. As well as members from various UAS offices, University Information Services and the University Library, the Group includes representatives from academic departments, the Office of Intercollegiate Services, Cambridge Assessment and Cambridge University Press to ensure a coordinated approach to the implementation of the changes across Collegiate Cambridge. The Working Group has been operating to a detailed Project Plan. The Plan’s deadlines take into account any changes that might be necessary at specific points in the academic cycle.
How does the GDPR affect central processes?
Many of the changes necessitated by the GDPR may be fulfilled by amending central processes. Some of these concern the core interactions with, and information supplied to, different categories of individual such as applicants, students, alumni and staff. Others relate to the overarching policies, procedures and records that are required to enable us to demonstrate our compliance with the new law.
How does the GDPR affect departmental processes? What do I need to do?
Although the greatest impact is upon central processes, some changes need to be implemented at a departmental level to ensure that certain processes overseen by Schools, Faculties, Departments and other University Institutions are aligned to the new law.
The following resources have been issued to assist:
-
GDPR Toolkit for University Institutions (circulated to Departmental Administrators and Heads of Institutions on 22 November 2017 and accompanied by several launch workshops - also available as a Word document)
-
GDPR Toolkit Update 1 (circulated to Departmental Administrators on 9 February 2018)
-
GDPR Toolkit Update 2 (circulated to Departmental Administrators on 9 March 2018)
-
GDPR Toolkit Update 3 (circulated to Departmental Administrators on 27 March 2018)
-
GDPR Toolkit Update 4 (circulated to Departmental Administrators on 20 April 2018) - this was the final update
-
GDPR Guidance on Local Privacy Notices (circulated to relevant staff/student services on 22 November 2017)
-
GDPR Guidance on Website Privacy Policies (published on 9 March 2018)
-
Preliminary Guidance on the GDPR and Academic Research (published on 27 March 2018)
Guidance (primarily for Departmental Administrators and other users) on the Information Asset Register (as mentioned in the Toolkit) is published on a separate page.
In addition, the data protection overview page and data protection guidance pages contain resources that have been aligned to GDPR standards; these will continue to be supplemented and refined.
Can I have a bit more detail on the background?
The following resources should assist.
-
Government documents about, and draft text of, the Data Protection Bill
-
Text of the Data Protection Act 2018 (as enacted on 23 May 2018)
-
Briefing Paper on the GDPR (prepared for a meeting of the University Council in April 2017, and last updated on 3 October 2017)
-
Update Paper on the GDPR (prepared for a meeting of the University Council in March 2018)
-
Briefing Presentation on the GDPR Preparations (last updated on 7 February 2018)
-
Briefing Paper on the Data Protection Bill (based on a paper prepared for a meeting of the GDPR Data Protection Working Group, and last updated on 28 September 2017)
-
GDPR Definitions (definitions of some of the key terms used in the GDPR and data protection law)
Who can I contact with further questions?
Further questions should be directed to data.protection@admin.cam.ac.uk.