All staff and students who work with personal data are responsible for complying with GDPR. The College will provide support and guidance but you do have a personal responsibility to comply.
What is the GDPR?
The EU’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 are new laws which have replaced the 1998 Data Protection Act. The GDPR was passed in 2016 and all organisations, including the College, had to become compliant with it by 25 May 2018. The Data Protection Act 2018 came into force and replaced the Data Protection Act 1998 on 23 May 2018. For most organisations, the GDPR is the law to turn to first. However, the Data Protection Act 2018 supplies a lot of the detail about how privacy law will apply to particular sectors and types of activity.
The GDPR only relates to the processing of personal data and has been put into place with the aims of:
- Unifying data privacy laws across the EU
- Formalising principles of data collection and retention
- Improving the protection of EU citizens and their data, with new considerations given to technological advances made since the 1998 Data Protection Act came into place
The GDPR places a greater emphasis on the rights of the data subject. These rights are:
- The right to be informed
- The right of access
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
According to the new regulation, all personal data must be:
A) Processed lawfully, fairly and in a transparent manner in relation to individuals
B) Collected for specific, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes
C) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
D) Accurate and, where necessary, kept up to date; steps should be taken to rectify or erase without delay
E) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
F) Processed in a manner that ensures appropriate security of the data
The GDPR also includes an accountability principle which states that we must be able to demonstrate compliance with the above principles.
What does this have to do with me?
As a result of the GDPR, a number of changes need to be made to the ways in which the College holds and processes personal data, and it is important that you are aware of your responsibilities. The main risks of non-compliance are increased fines (the maximum being the greater of 4% global turnover for the preceding financial year or €20 million) and a lack of confidence from the public and other organisations towards the College.