The General Data Protection Regulation (GDPR)
The GDPR comes into effect on 25 May 2018, replacing the Data Protection Act 1998 (DPA).
The implementation will require comprehensive changes to the way in which organisations, like Queen's University Belfast, collect, use and transfer personal data.
How will it differ from the DPA?
The GDPR has been designed not only to harmonise Data Protection practices across the European Union, but specifically to strengthen the rights of Data Subjects.
- There is a new principle of "accountability", which requires organisations to demonstrate that they comply with the legislation - this includes, for example, maintaining documentation on processing activities.
- The standards required for gaining consent to process personal data are higher - consent must be unambiguous, informed and demonstrable.
- Organisations will be required to report significant data breaches to the Information Commissioner's Office within 72 hours.
- The penalties for non-compliance are significantly higher than under the DPA - with a potential fine of up to €20m.
The University is ensuring that its processes and procedures will comply with the GDPR. Please revisit this page as further updates are posted.
If you have any questions please contact the Information Compliance Unit by telephone on 028 9097 2506 or by emailing firstname.lastname@example.org.
The following dropdown contains important information on changes to Consent, Privacy notices and Privacy impact assessments - guidance will continue to be added.
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
The principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement.
Article 5 of the GDPR requires that personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals;
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
- Consent must be unambiguous, freely given, specific and the data subjects should be informed for each purpose for which the data is being processed, especially if the purposes evolve over time;
- Consent must be ‘explicit’ for the processing of sensitive data, (renamed “special category data”) under the GDPR. Explicit consent will require clear approval from the data subject e.g. a signed consent form.
- Consent must be obtained for each separate processing activity.
- Data subjects will have the right to withdraw their consent at any time
The GDPR provides some clarity on what will constitute “valid” consent:
“This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data.
Silence, pre-ticked boxes or inactivity should therefore not constitute consent”.
To meet the enhanced accountability requirements under the GDPR, we must be open and transparent about how we process an individual’s personal information.
A privacy notice is a statement, or document, that discloses the ways in which an organisation will obtain, record, hold, alter, retrieve, destroy or disclose, personal information.
The University undertakes a wide range of processing, and this is reflected in our existing privacy notices for students and alumni. Staff collecting and using personal data at a more local level, in Directorates and Faculties, will need to provide privacy notices of their own; as will researchers processing personal data as part of a study.
The GDPR will require us to have the information listed below as part of a Privacy Notice:
- Details of the purpose and legal basis of the processing of the personal data;
- Categories of personal data processed;
- Details of how their personal information is to be used;
- Information about security of their data;
- Information about cookies used by a website;
- Details of the recipients of the personal data;
- Details of any transfers of personal data outside of the European Economic Area;
- Right to complain;
- The period of time the personal data will be stored;
- Individual rights – including how to make a subject access request and object to direct marketing.
The Information Commissioners’ Office (ICO) has published a revised Privacy Notices Code of Practice to assist organisations in preparing a clear and effective privacy notice.
Privacy Impact Assessments
Carrying out a Privacy Impact Assessment to ensure all projects / new systems are built with appropriate security measures and compliance will become a legal requirement under the GDPR. For high-risk situations, we will be required to consult with the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
Carrying out an impact assessment at the start of a project ensures privacy by design, compliance with legislation and that systems are built with security from outset and risks are managed. This often results in better and cheaper solutions as adding in good security at a later date can be costly. We must carry out a Privacy Impact Assessment when:
- Using new technologies; and
- The processing is likely to result in a high risk to the rights and freedoms of individuals.
This is likely to include the following:
- New projects/plans/proposals
- New administrative systems with privacy implications
- Outsourcing a system
- New methods of electronic communications
- New IT systems
- Sharing of personal data with other bodies
- New or different use of personal data
- New policies, or statutory duties
- Whenever there is a potential for damage or distress to individuals
The ICO has published a Code of Practice for Conducting Privacy Impact Assessments, which you may find useful
Please get in touch with the Information Compliance Unit for assistance if you are starting a new project or system that uses personal data.