Skip to main content

The General Data Protection Regulation (GDPR)

The GDPR comes into effect on 25 May 2018, replacing the Data Protection Act 1998 (DPA).  

The implementation will require comprehensive changes to the way in which we collect, use and transfer personal data.  A GDPR Working Group, chaired by the Director of Student Plus, has been set up to examine the impact on university operations and to oversee the implementation of any changes required.  All Faculties and Directorates are represented on the Group.


Further Information Sessions will be arranged early in the 2018-19 academic year.  These are open to All Staff, to raise awareness of the changes required and make practical suggestions as to how these can be implemented.  These will last for one hour and will be self-bookable via ITrent.  

Staff are welcome to forward, in advance, any specific questions, queries or issues they would like be raised at these sessions to:

How does it differ from the DPA?

The GDPR has been designed not only to harmonise Data Protection practices across the European Union, but specifically to strengthen the rights of Data Subjects.  

For example:

    • There is a new principle of "accountability", which requires organisations to demonstrate that they comply with the legislation - this includes, for example, maintaining documentation on processing activities.
    • The standards required for gaining consent to process personal data are higher - consent must be unambiguous, informed and demonstrable.
    • Organisations will be required to report significant data breaches to the Information Commissioner's Office within 72 hours.
    • The penalties for non-compliance are significantly higher than under the DPA - with a potential fine of up to €20m.


The University is ensuring that its processes and procedures will comply with the GDPR.  Please revisit this page as further updates are posted.

In the meantime please ensure that you are familiar with the Data Protection Policy; Data Security Guidance; and our Pocket Guide to Data Protection

If you have any questions please contact the Information Compliance Unit by telephone on 028 9097 2506 or by emailing  

Further Information

The following dropdown contains important information on changes to Consent, Privacy notices and Data Privacy impact assessments - guidance will continue to be added.

  • Consent
    • Consent must be unambiguous, freely given, specific and the data subjects should be informed for each purpose for which the data is being processed, especially if the purposes evolve over time;
    • Consent must be ‘explicit’ for the processing of sensitive data, (renamed “special category data”) under the GDPR. Explicit consent will require clear approval from the data subject e.g. a signed consent form.
    • Consent must be obtained for each separate processing activity.
    • Data subjects will have the right to withdraw their consent at any time

    The GDPR provides some clarity on what will constitute “valid” consent:

    This could include ticking a box when visiting an Internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. 

    Silence, pre-ticked boxes or inactivity should therefore not constitute consent”.

    Please refer to this CHECKLIST to ensure that any consent you gain from individual's meet these new higher standards. 



  • Privacy Notices

    To meet the enhanced accountability requirements under the GDPR, we must be open and transparent about how we process an individual’s personal information.

    A privacy notice is a statement, or document, that discloses the ways in which an organisation will obtain, record, hold, alter, retrieve, destroy or disclose, personal information.

    The University undertakes a wide range of processing, and this is reflected in our existing privacy notices for students and alumni. Staff collecting and using personal data at a more local level, in Directorates and Faculties, will need to provide privacy notices of their own; as will researchers processing personal data as part of a study.

    The GDPR will require us to have the information listed below as part of a Privacy Notice:

    • Details of the purpose and legal basis of the processing of the personal data;
    • Categories of personal data processed;
    • Details of how their personal information is to be used;
    • Information about security of their data;
    • Information about cookies used by a website;
    • Details of the recipients of the personal data;
    • Details of any transfers of personal data outside of the European Economic Area;
    • Right to complain;
    • The period of time the personal data will be stored;
    • Individual rights – including how to make a subject access request and object to direct marketing. 

    The Information Commissioners’ Office (ICO) has published a revised Privacy Notices Code of Practice to assist organisations in preparing a clear and effective privacy notice.

  • Privacy Impact Assessments

    Carrying out a Privacy Impact Assessment to ensure all projects / new systems are built with appropriate security measures and compliance will become a legal requirement under the GDPR.  For high-risk situations, we will be required to consult with the ICO to seek its opinion as to whether the processing operation complies with the GDPR.

    Carrying out an impact assessment at the start of a project ensures privacy by design, compliance with legislation and that systems are built with security from outset and risks are managed. This often results in better and cheaper solutions as adding in good security at a later date can be costly.  We must carry out a Privacy Impact Assessment when:

    • Using new technologies; and
    • The processing is likely to result in a high risk to the rights and freedoms of individuals.

    This is likely to include the following:

    • New projects/plans/proposals
    • New administrative systems with privacy implications
    • Outsourcing a system
    • New methods of electronic communications
    • New IT systems
    • Sharing of personal data with other bodies
    • Surveys
    • New or different use of personal data
    • New policies, or statutory duties
    • Whenever there is a potential for damage or distress to individuals

    Please get in touch with the Information Compliance Unit for assistance if you are starting a new project or system that uses personal data. A pre-screening questionnaire can be downloaded here.  If you answer "Yes" to any of the questions, a full Assessment should be undertaken. 

    A template Privacy Impact Assessment can be downloaded here.


Privacy Notices:

These are notices, made available online to be viewed at any time in a variety of accessible formats, which describe what personal data we hold, process and where necessary share with third parties. It will describe our legal basis for doing so, as well as the retention details and your own rights in relation to your personal/sensitive data.

A Privacy Notice template has been made available and can be used for any part of the business which requires a notice for their own system, process, event or programme.

Overarching privacy notices will be provided for all staff, students and applicants.

Email Protocol:

When preparing internal email communications it is important to consider the following:

a)      Ensure that any opinions on other staff or student members are clearly stated as such, including who owns the opinion.

b)      Only include in your communications what you would be prepared to discuss in a public forum.

c)       Ensure that recipient address are correct and do not rely solely on the ‘auto fill’.

d)      Ensure that when sending any files which contain sensitive or personal data, that they are password protected and/or encrypted.

When sending communications to students or external parties please consider the following:

a)      Ensure that they recipient address is correct.

b)      When sending bulk communications to students or external partners, ensure Blind CC (BCC) is used, so as to mask the email addresses of recipients.

c)       Consider, before sending, what data it is that is being shared/transferred and determine whether or not it would be better to include further protection in the form of password protection.


The use of ‘consent’ as a legal basis for processing personal data has changed under GDPR. Consent should be able to be withdrawn ‘without any detriment to individuals’. The over use of consent, when asking individuals to constantly ‘consent’ to us using their data, can create ‘consent fatigue’ and there are usually other more appropriate methods of processing data. Such as using ‘legitimate interests’.

It is important to remember that if we are asking someone to sign up to a product, service, event or database etc. this is their ‘active opt in’ as it were. We don’t then need to ask for their consent to process their data. We now have a ‘legitimate interest’ in processing their data or potentially, if they have agreed to terms and conditions, we have a ‘contractual’ obligation to process their data. We may wish to seek consent for specific marketing options (e.g. Would you like to receive email/letters on future events?), as this can be withdrawn without detriment to the individual’s access to the service/event. 

Need more information?

Contact us