Skip navigation

GDPR: - Frequently Asked Questions

The General Data Protection Regulations are new to everyone, and some common questions are being asked. Here we have presented some answers to the most regular questions we get asked.

If you have any questions in relation to GDPR, please contact dp.officer@northumbria.ac.uk and we will update this page with the most popular.


When is the GDPR coming in to effect?

The GDPR will be enforceable law from May 25th 2018.

What about data subjects under the age of 16?

The GDPR states that Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13. As such, in the UK the age will be 13, not 16.

What about 'BREXIT'? Will that stop GDPR coming into effect?

The UK government have confirmed that the UK will need to comply despite Brexit. On the 14th September 2017 the UK government published a Data Protection Bill that will exist alongside the GDPR and covers those areas of the GDPR that allowed for decisions to be made by individual member states, such as the powers of our own Data Protection Authority (the Information Commissioner's Office)

Who does GDPR apply to?

The GDPR applies to organisations located within the EU and to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What are the penalties for non-compliance?

There is a tiered approach  to issuing penalties under GDPR.

  1. Organisations can be fined up to 4% of annual global turnover, or €20 Million of annual global turnover (whichever is higher), for breaches that may occur. This is the maximum fine that can be imposed for the most serious infringements. e.g. loss of data, not notifying the Information Commissioner's Office (ICO) of a breach etc.
  2. They can also be fined 2% of annual global turnover, or €10 million for not having sufficient records of their processing activities.  e.g.not identifying what processing they do, not notifying the data subject about processing, not delivering against the rights of the data subject etc.

The fines are significant and no doubt a driver for compliance, but can be avoided providing that the University, and our staff process data in the right way.

Do we need to report every potential data protection breach to the ICO?

No, mandatory reporting is only required where the breach poses "a risk to the rights and freedoms of individuals". In such instances, without undue delay, and where feasible, we must report the incident to the ICO within 72 hours.

You must however report all suspected or potential data breaches to the University Data Protection Officer  (See below)

Do we need to report every suspected data protection breach to the University Data Protection Officer (DPO)?

Yes. Any "near miss" or incident that occurs involving personal data should be flagged to the DPO so that it can be logged and investigated and so that they can assess the risk "to the rights and freedoms of individuals".

Whilst this may seem  excessive, particularly where it is obvious that it was "accidental", the University needs to know about it so that we can prevent similar incidents happening in the future with higher risk data. 

 

 

 

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Do we need data subject consent to process data?

Not always.  Consent is only one of several lawful grounds for holding and using people's data. For example, any uses that are for the purposes of contractual arrangements (including student/employee contracts) are unlikely to be on consent grounds. The University has produced guidance on Lawful basis for processing.

What does "consent to process data" mean under GDPR?

The conditions for consent have been strengthened, as organisations will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. 

Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.

Consent must be by a positive indication of the individuals intention i.e. "tick to opt-in" rather than a by passive "un-tick here to opt-out". Where consent has been obtained, it must be as easy to withdraw consent as it is to give it. 


+

Northumbria Open Days

Open Days are a great way for you to get a feel of the University, the city of Newcastle upon Tyne and the course(s) you are interested in.

Research at Northumbria
+

Research at Northumbria

Research is the life blood of a University and at Northumbria University we pride ourselves on research that makes a difference; research that has application and affects people's lives.

+

Order your prospectus

If you would like to know more about our courses, or life in general as a student at Northumbria, then we can help you.

Latest News and Features

More news

Back to top