Skip navigation

GDPR: - Frequently Asked Questions

The General Data Protection Regulations are new to everyone, and some common questions are being asked. Here we have presented some answers to the most regular questions we get asked.

If you have any questions in relation to GDPR, please contact dp.officer@northumbria.ac.uk and we will update this page with the most popular.


The UK GDPR became enforceable law from May 31st January 2020.

The GDPR states that Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13. As such, in the UK the age will be 13, not 16.

If a parent, family member or anyone else claiming to be connected to a student asks us to discuss a students academic situation, discuss a students personal matter or request access to a students  personal information, we will always say no, unless they can prove that they have the students consent to act on their behalf.

Student consent can be given via an email from the student, in person or over the phone. Students will be asked to confirm the matters they are happy to be disclosed, or anything they don't want us to share. Unless we are told otherwise, the consent will only relate to the matter at hand and further consent may be requested if new matter arise.

The UK GDPR applies to all companies processing and holding the personal data of data subjects residing in the United Kingdom, regardless of the company’s location.

There is a tiered approach  to issuing penalties under GDPR.

  1. Organisations can be fined up to 4% of annual global turnover, or €20 Million of annual global turnover (whichever is higher), for breaches that may occur. This is the maximum fine that can be imposed for the most serious infringements. e.g. loss of data, not notifying the Information Commissioner's Office (ICO) of a breach etc.
  2. They can also be fined 2% of annual global turnover, or €10 million for not having sufficient records of their processing activities.  e.g.not identifying what processing they do, not notifying the data subject about processing, not delivering against the rights of the data subject etc.

The fines are significant and no doubt a driver for compliance, but can be avoided providing that the University, and our staff process data in the right way.

No, mandatory reporting is only required where the breach poses "a risk to the rights and freedoms of individuals". In such instances, without undue delay, and where feasible, we must report the incident to the ICO within 72 hours.

You must however report all suspected or potential data breaches to the University Data Protection Officer  (See below)

Yes. Any "near miss" or incident that occurs involving personal data should be flagged to the DPO so that it can be logged and investigated and so that they can assess the risk "to the rights and freedoms of individuals".

Whilst this may seem  excessive, particularly where it is obvious that it was "accidental", the University needs to know about it so that we can prevent similar incidents happening in the future with higher risk data. 

 

 

 

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Not always.  Consent is only one of several lawful grounds for holding and using people's data. For example, any uses that are for the purposes of contractual arrangements (including student/employee contracts) are unlikely to be on consent grounds. The University has produced guidance on Lawful basis for processing.

The conditions for consent have been strengthened, as organisations will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. 

Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.

Consent must be by a positive indication of the individuals intention i.e. "tick to opt-in" rather than a by passive "un-tick here to opt-out". Where consent has been obtained, it must be as easy to withdraw consent as it is to give it. 


a sign in front of a crowd
+

Northumbria Open Days

Open Days are a great way for you to get a feel of the University, the city of Newcastle upon Tyne and the course(s) you are interested in.

Research at Northumbria
+

Research at Northumbria

Research is the life blood of a University and at Northumbria University we pride ourselves on research that makes a difference; research that has application and affects people's lives.

NU World
+

Explore NU World

Find out what life here is all about. From studying to socialising, term time to downtime, we’ve got it covered.


Latest News and Features

Some members of History’s editorial team (from left to right): Daniel Laqua (editor-in-chief), Katarzyna Kosior (reviews editor), Lewis Kimberley (editorial assistant), Charotte Alston (deputy editor) and Henry Miller (online editor).
Dr Elliott Johnson, Vice Chancellor’s Fellow in Public Policy at Northumbria University.
Balfour Beatty graduates at Northumbria's winter congregation
NIHR multiple and complex needs
Paramedics at work
Joint Institute of Clean Hydrogen
Volunteering builds inroads and supports communities. In this photo, UN Volunteers interview community members to assess basic health services in the rural areas of Rwanda. Copyright UNV, 2023
HICSA partners at the site

Back to top