Skip to content

These frequently asked questions are intended to provide staff and students with an overview of the new EU General Data Protection Regulation (GDPR).

The FAQs will be updated to reflect any additional questions we receive about GDPR, along with other related information and guidance.

Queries about GDPR not covered here can be emailed to the Data Protection Officer.

General

View all Close all
What is the GDPR?

The General Data Protection Regulation, or GDPR, is the new European Union regulation aimed at harmonising data protection laws across the EU.

The GDPR will apply to any organisation processing the personal data of individuals living in the EU, regardless of whether or not that organisation is physically based in the EU.

As with any law, failure to comply with the GDPR could have serious repercussions for St George’s; not only could we incur significant monetary penalties, but it could damage our reputation and affect our ability to carry out our business.

When does it come into effect?

The GDPR comes into force in all the EU member states on 25 May 2018.

What about the old Data Protection Act and the new Data Protection Bill, and what’s the difference between these and the GDPR?

 

The GDPR will supersede the Data Protection Act 1998 in the UK. However, the GDPR leaves room for each member state to make provisions (known as ‘derogations’) for how the regulation will apply in their own country.

The new UK Data Protection Bill will both introduce GDPR into UK law and outline these derogations. The Data Protection Bill will also provide further clarification for some of the terms that appear in the GDPR. Therefore, the GDPR should be read alongside the Data Protection Bill.

What happens when we leave the EU?
No final decisions have been made yet about what will happen to UK data protection law when we leave the EU. However, while the GDPR will no longer officially apply, it’s more than likely that the UK will adopt a similar version of the GDPR in order to ensure the continued flow of personal data between us and the other EU member states.
What’s new under the GDPR?

The GDPR introduces some new requirements and also updates a few existing ones. Areas where changes appear include:

  • the rights of the individual, eg a new ‘right to be forgotten’ as well as changes to how data protection requests must be processed

  • consent, eg this must be ‘opt in’ rather than ‘opt out’

  • sensitive personal data, which will be referred to as sensitive category data and will now include genetic and biometric data

  • data breaches, which must be reported within 72 hours and fines will be much larger

  • lawful basis for any processing must be documented and included in the privacy notice

  • privacy notices have a checklist of information that must be included

  • data privacy impact assessments will be mandatory in certain circumstances

  • public authorities, which includes universities, must have a designated data protection officer

  • special protections for children’s personal data will be introduced and the age of consent for processing of personal data is set at 16 (but may be lowered to 13 in the UK)

  • data processors have increased responsibility and can now be fined by the ICO.

More detailed information on these areas can be found in the ‘Key definitions and changes’ FAQs on this page.

What is St George’s doing to prepare for the GDPR?

St George’s has a GDPR working group made up of representatives from all areas of the university, the institutes and the professional services teams. The project is led by the university’s Senior Information Risk Owner (SIRO) and the working group is chaired by St George’s Information Governance Manager. This group is working towards ensuring St George’s compliance with the new requirements of the GDPR. The GDPR working group reports to the university’s Information Governance Steering Group.

How will the requirements of the GDPR affect me?

The new requirements of the GDPR will result in some changes in the way the university processes personal data. This may mean that the policies and procedures your department has for managing personal data will be amended in some way, or that you will end up with some new policies and procedures to follow. For example, if your team uses consent forms that currently have ‘opt-out’ boxes these will need to change to ‘opt-in’. The GDPR working group will issue advice and guidance on these requirements.

How will GDPR affect research activities?

For health and social care research, the new regulation is not very different from the current requirements. The Health Research Authority (HRA), the UK health and social care research regulator, has stated it does not intend on adding to the existing safeguards. Current guidelines and best practice, if followed, would meet the requirements of the GDPR within a research setting. In addition, research, especially within healthcare, will have special exemptions/derogations which have yet to be fully outlined by the UK government.

Most research studies that have involved use of confidential patient/participant information have sought consent from the participants. This meets ethical expectations to promote the autonomy and privacy of research participants and avoids a breach of the common law duty of confidentiality. This is not changing with the introduction of the GDPR. However, for GDPR, the legal basis for processing data for health and social care research is not ‘consent’. GDPR requires each activity of processing data to have a legal basis under this legislation, in addition to the common law basis. For health and social care research, the legal basis is determined by the type of organisation:

  • For universities, NHS organisations or research councils, the processing of personal data for research will be a ‘task in the public interest’.

  • For commercial companies (engaging in research) and charitable research organisations, the processing of personal data for research will be undertaken within ‘legitimate interests’.

Further guidance on the management of research data will be disseminated by the JRES in due course. General information can be found on the HRA website

Will there be any training on the GDPR?

St George’s will be making basic training available on data protection under the new legislation. This will take the form of an online training module and all staff will be expected to complete the training.

Where can I find out more about the GDPR?

More information can be found in the section below (‘Key definitions and changes’) and also on the Information Commissioner’s Office (ICO) website, for example in their 12 steps guide to preparing for the GDPR.

Key definitions and changes

View all Close all
What is a privacy notice?

A privacy notice is a statement detailing what personal data someone collects about you, why they collect it and what they do with it. Transparency in the use of personal data has always been an important aspect of the Data Protection Act and it continues to be so with the GDPR. However, the GDPR now sets out a ‘checklist’ of the information that must be included within a privacy notice, as well as indicating how and when the privacy notice must be made available to the individual whose personal data is being collected.

St George’s will be providing more comprehensive guidance on how and when to draft a privacy notice in due course.

What are the legal bases for processing personal data?

The Data Protection Act dictates that processing of personal data must be ‘lawful’ and must meet one of the criteria listed in the Act.

The same applies with the GDPR. So if you are processing personal data then you must meet one of the conditions laid out in the regulation, these being:

a)      the data subject has given their consent to this processing

b)      the processing is necessary for the performance of a contract with the data subject

c)       the processing is necessary for compliance with a legal obligation

d)      the processing is necessary in order to protect the vital interests of the data subject or another living individual

e)      the processing is necessary for the performance of a task carried out in the public interest

f)        the processing is necessary or the legitimate interests of the data controller.

The GDPR places an additional requirement that you must be able to demonstrate the lawful basis for all of your data processing activities, and that these lawful bases be made known to the individual whose personal data is being processed, ie via the relevant privacy notice.

The GDPR also stipulates that public authorities (including universities) may only rely on using the final condition, ‘legitimate interests’, where it does not apply to one of our core tasks, ie education and research.

Consent should only really be relied on where no other option is available as consent can always be withdrawn by the individual.

How is consent different under GDPR?

Under the GDPR, the mechanisms used for obtaining consent must adhere to certain rules. For example, consent must be ‘explicit’ meaning it must be absolutely clear to the individual what it is they are consenting to; consent must involve an affirmative action by using opt-in (not opt-out) boxes and should not involve the use of pre-ticked boxes; consent for different uses of personal data should be dealt with as separate indications of consent, not grouped together under a single tick box. It will be important to review your consent mechanisms every so often, and keep records of when/how you change your consent forms.

You will also need to pay special attention to the type of language you use when obtaining consent from children. Any explanation of what you will be doing with children’s personal data must be phrased in a way that will be easily understandable to them. Where a child is below the relevant age of consent you will need to include parental (or guardian) consent. The GDPR sets the age of consent as 16, but the regulation provides scope for member states to lower this as far as 13. It is possible that the new Data Protection Bill will set the age of consent for data protection purposes in the UK as 13. 

More detailed guidance on drafting a consent form under GDPR can be found on the ICO’s website.

What is a data protection impact assessment and when do I need to do one?

A data protection impact assessment (DPIA) is a way of helping to identify and minimise the privacy risks associated with a project involving personal data. It also helps identify the best ways to ensure compliance with data protection obligations. A DPIA should be carried out at the start of a new project, before you actually start doing anything with personal data. It may also be necessary to do a DPIA when you make significant changes to existing systems, or when you want to change the way you will be using personal data you already have.

Under the Data Protection Act there is no obligation to do a DPIA. The GDPR makes it mandatory to carry out a DPIA in certain circumstances, when there is likely to be a ‘high risk’ to the individuals whose personal data is being processed, for example research projects involving the use of health-related data.

St George’s will be producing a policy on how and when to carry out a DPIA.

What do I need to know about reporting data breaches?

There will be a new duty to report a data breach, whether accidental or deliberate, within 72 hours of becoming aware of it.

The GDPR also sees a significant increase in the size of the fines that the ICO will be able to impose. Under the Data Protection Act, the maximum fine the ICO can levy is £500,000. Under the GDPR there are two tiers of fines, with the ICO having the power to impose fines of up to €10 million or 2% of global turnover (whichever is higher) or €20 million or 4% of global turnover (whichever is higher).

So every member of the university will need to make sure they are aware of their responsibilities to help prevent breaches, and also of the importance of reporting a breach as soon as they are aware that there has been one.

St George’s will be producing a policy on the process for reporting breaches.

How will the rights of the individual change?

Individuals have the right to request a copy of the personal data an organisation holds on them. The Data Protection Act allows 40 calendar days for complying with such requests. This is reduced to one month under the GDPR. The GDPR also removes the ability to charge an individual for providing them with a copy of their information.

The GDPR introduces some new rights for the individual, such as the right to erasure (also referred to as the right to be forgotten) and the right of data portability. The right to erasure allows an individual to request that their personal data be deleted, so long as there isn’t a compelling reason to continue processing it, eg that there isn’t a legal obligation for an organisation to retain the personal data. The right of data portability means that an individual has the right to request a copy of their personal data in a format that will allow them to reuse it, eg if they want to transfer their data to a different service provider or to use it for a completely different purpose.

Further clarification of what the ‘rights of the individual’ are can be found on the ICO website.

 

Find a profileSearch by A-Z