GDPR is an EU regulation which comes into force on 25 May 2018 and replaces the current Data Protection Act. We will all need to engage with and be aware of the changes.

You won't need to relearn everything you know about the Data Protection Act, but you will need to understand the differences and modifications.  Awareness training sessions will be running in the New Year.

Two of the most important changes are that we will be obliged to report significant data breaches to the Information Commissioner's Office, and it will be mandatory to conduct Privacy Impact Assessments, (which fortunately we're already doing).

One of the main focuses will now be on data minimisation – only processing personal data when it is absolutely necessary, and not keeping it longer than is absolutely necessary.   

Right now we are conducting a Personal Data Processing Audit across the faculties and directorates, you are all obliged to provide input into this audit.

Everyone will have more rights under the new legislation.  They will be allowed:

  • free subject access requests with a reduced response timescale of one month
  • a requirement for more information to be provided to them about how we are processing their personal data – with the focus on transparency and openness
  • they will be able to withdraw consent as well as provide it
  • they will have the "right to be forgotten"

Organisations, such as the university, that process personal data will be facing much bigger fines (up to a maximum of 20 million Euros) for serious data breaches.

We have a GDPR Working Group at the university who are delivering a project plan up to and beyond compliance day.

If you have any further questions about GDPR at Greenwich then please contact Lucy Fincham.