GDPR: - Frequently Asked Questions

The UK GDPR became enforceable law from May 31st January 2020.

The GDPR states that Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13. As such, in the UK the age will be 13, not 16.

If a parent, family member or anyone else claiming to be connected to a student asks us to discuss a students academic situation, discuss a students personal matter or request access to a students  personal information, we will always say no, unless they can prove that they have the students consent to act on their behalf.

Student consent can be given via an email from the student, in person or over the phone. Students will be asked to confirm the matters they are happy to be disclosed, or anything they don't want us to share. Unless we are told otherwise, the consent will only relate to the matter at hand and further consent may be requested if new matter arise.

The UK GDPR applies to all companies processing and holding the personal data of data subjects residing in the United Kingdom, regardless of the company’s location.

There is a tiered approach  to issuing penalties under GDPR.

1. Organisations can be fined up to 4% of annual global turnover, or €20 Million of annual global turnover (whichever is higher), for breaches that may occur. This is the maximum fine that can be imposed for the most serious infringements. e.g. loss of data, not notifying the Information Commissioner's Office (ICO) of a breach etc.
2. They can also be fined 2% of annual global turnover, or €10 million for not having sufficient records of their processing activities.  e.g.not identifying what processing they do, not notifying the data subject about processing, not delivering against the rights of the data subject etc.

The fines are significant and no doubt a driver for compliance, but can be avoided providing that the University, and our staff process data in the right way.

No, mandatory reporting is only required where the breach poses "a risk to the rights and freedoms of individuals". In such instances, without undue delay, and where feasible, we must report the incident to the ICO within 72 hours.

You must however report all suspected or potential data breaches to the University Data Protection Officer  (See below)

Yes. Any "near miss" or incident that occurs involving personal data should be flagged to the DPO so that it can be logged and investigated and so that they can assess the risk "to the rights and freedoms of individuals".

Whilst this may seem  excessive, particularly where it is obvious that it was "accidental", the University needs to know about it so that we can prevent similar incidents happening in the future with higher risk data. 

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Not always.  Consent is only one of several lawful grounds for holding and using people's data. For example, any uses that are for the purposes of contractual arrangements (including student/employee contracts) are unlikely to be on consent grounds. The University has produced guidance on Lawful basis for processing.

The conditions for consent have been strengthened, as organisations will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. 

Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.

Consent must be by a positive indication of the individuals intention i.e. "tick to opt-in" rather than a by passive "un-tick here to opt-out". Where consent has been obtained, it must be as easy to withdraw consent as it is to give it.