The General Data Protection Regulation (GDPR)
The GDPR comes into effect on 25 May 2018, replacing the Data Protection Act 1998 (DPA).
The implementation will require comprehensive changes to the way in which organisations, like Queen's University Belfast, collect, use and transfer personal data.
How will it differ from the DPA?
The GDPR has been designed not only to harmonise Data Protection practices across the European Union, but specifically to strengthen the rights of Data Subjects.
- There is a new principle of "accountability", which requires organisations to demonstrate that they comply with the legislation - this includes, for example, maintaining documentation on processing activities.
- The standards required for gaining consent to process personal data are higher - consent must be unambiguous, informed and demonstrable.
- Organisations will be required to report significant data breaches to the Information Commissioner's Office within 72 hours.
- The penalties for non-compliance are significantly higher than under the DPA - with a potential fine of up to €20m.
The University is ensuring that its processes and procedures will comply with the GDPR. Please revisit this page as further updates are posted.
If you have any questions please contact the Information Compliance Unit by telephone on 028 9097 2506 or by emailing email@example.com.
The following dropdown contains important information on changes to Consent, Privacy notices and Privacy impact assessments - guidance will continue to be added.
- Consent must be unambiguous, freely given, specific and the data subjects should be informed for each purpose for which the data is being processed, especially if the purposes evolve over time;
- Consent must be ‘explicit’ for the processing of sensitive data, (renamed “special category data”) under the GDPR. Explicit consent will require clear approval from the data subject e.g. a signed consent form.
- Consent must be obtained for each separate processing activity.
- Data subjects will have the right to withdraw their consent at any time
The GDPR provides some clarity on what will constitute “valid” consent:
“This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data.
Silence, pre-ticked boxes or inactivity should therefore not constitute consent”.
To meet the enhanced accountability requirements under the GDPR, we must be open and transparent about how we process an individual’s personal information.
A privacy notice is a statement, or document, that discloses the ways in which an organisation will obtain, record, hold, alter, retrieve, destroy or disclose, personal information.
The University undertakes a wide range of processing, and this is reflected in our existing privacy notices for students and alumni. Staff collecting and using personal data at a more local level, in Directorates and Faculties, will need to provide privacy notices of their own; as will researchers processing personal data as part of a study.
The GDPR will require us to have the information listed below as part of a Privacy Notice:
- Details of the purpose and legal basis of the processing of the personal data;
- Categories of personal data processed;
- Details of how their personal information is to be used;
- Information about security of their data;
- Information about cookies used by a website;
- Details of the recipients of the personal data;
- Details of any transfers of personal data outside of the European Economic Area;
- Right to complain;
- The period of time the personal data will be stored;
- Individual rights – including how to make a subject access request and object to direct marketing.
The Information Commissioners’ Office (ICO) has published a revised Privacy Notices Code of Practice to assist organisations in preparing a clear and effective privacy notice.
Privacy Impact Assessments
Carrying out a Privacy Impact Assessment to ensure all projects / new systems are built with appropriate security measures and compliance will become a legal requirement under the GDPR. For high-risk situations, we will be required to consult with the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
Carrying out an impact assessment at the start of a project ensures privacy by design, compliance with legislation and that systems are built with security from outset and risks are managed. This often results in better and cheaper solutions as adding in good security at a later date can be costly. We must carry out a Privacy Impact Assessment when:
- Using new technologies; and
- The processing is likely to result in a high risk to the rights and freedoms of individuals.
This is likely to include the following:
- New projects/plans/proposals
- New administrative systems with privacy implications
- Outsourcing a system
- New methods of electronic communications
- New IT systems
- Sharing of personal data with other bodies
- New or different use of personal data
- New policies, or statutory duties
- Whenever there is a potential for damage or distress to individuals
The ICO has published a Code of Practice for Conducting Privacy Impact Assessments, which you may find useful
Please get in touch with the Information Compliance Unit for assistance if you are starting a new project or system that uses personal data.