Although they share much common ground, GDPR will differ from the Data Protection Act in key ways and the University must prepare for the changes to come.
To find out more, click on the links on this page or contact firstname.lastname@example.org, or +44 (0)1603 59 2431.
March 2018: The ICO has published an Introduction to the Data Protection Bill.
January 2018: The ICO has updated its GDPR guidance to include a section on documentation, and what we need to include in our Records of Processing Activities. Documentation may not sound exciting, but this is a really important part of our preparations for GDPR, and getting it right will help our compliance with a number of other areas of the new law. If we haven't been in touch with your department to map your data processing yet, let us know.
December 2017: we await the final detail of how GDPR / the new Data Protection Act will affect research involving personal data, but in the meantime the Health Research Authority have published a suite of guidance to explain the legislation to those working in health and social care research.
December 2017: In search of some light Christmas reading? Look no further than the updated GDPR guidance from the ICO. Includes expanded guidance on the lawful bases for processing (if you haven't identified which ones apply to your data processing, start now), and updates on the guidance being produced by the Article 29 Working Party - most recent: Consent and Transparency. Should be enough to keep us going until Parliament's 3rd reading of the Data Protection Bill in January.
October 2017: The Article 29 Working Party have published new guidelines on 'personal data breach notification' and 'automated individual decision making and profiling'.
October 2017: Jisc have compiled resources and advice to help universities prepare for GDPR.
October 2017: The ICO's blog confirms that the annual fee many organisations have to pay the ICO when registering as a data controller is going to continue after all. GDPR does not include this obligation, but a provision within the Digital Economy Act means it will remain a legal requirement in the UK.
September 2017: The Data Protection Bill has been published. At 202 pages it's not going to be a quick read, but will explain how the Government intends GDPR to be implemented in the UK. More detail to come, once we've had time to digest it all...
August 2017: Universities may be able to reject requests to access or rectify personal data, or objections to the processing of such data (including the prevention of further processing of that data), where the data is processed for the purpose of scientific or historical research, under derogations to GDPR which are due to be introduced in the planned UK Data Protection Bill. The derogations are designed to prevent research projects being hampered by data protection barriers.
August 2017: The Information Commissioner has launched a series of 'myth busting' blogs to help us sort the GDPR facts from fiction. Includes a post on why consent is not the 'silver bullet' for GDPR compliance.
August 2017: For a quick and easy to digest summary of the Data Protection Bill and its connection with GDPR, see Act Now's blog post.
August 2017: The Department for Digital, Culture, Media & Sport has published the outcome of its consultation on GDPR (see April, below), including their statement of intent paper, 'A New Data Protection Bill: Our Planned Reforms'. The BBC and Guardian have commented on the news.
July 2017: The BBC reports on the impact that the implementation of GDPR will have on businesses in the UK, both in terms of the large fines that they could incur if they fail to comply, but also the benefits that come from being able to demonstrate respect for individual's privacy.
June 2017: Data Protection Reform was mentioned by Queen Elizabeth II in her speech at the opening of Parliament. The UK would retain its "world-class" data protection regime, the Queen said. The government reiterated its plans to implement GDPR, and will publish a Data Protection Bill (pdf) which aims to give citizens more control over their data.
May 2017: There is now one year until GDPR is implemented. To mark the occasion, the ICO has issued a range of guidance on how businesses can prepare for what the Information Commissioner, Elizabeth Denham, describes as "the biggest change to data protection law for a generation."
April 2017: One of the more eye-catching aspects of GDPR is the potential for organisations to be issued with very large fines - up to 20m Euro or 4% of turnover. The Register reports on NCC Group's research on how recent ICO monetary penalties might have looked under GDPR.
April 2017: Want to have your say on the changes the Government can make to GDPR? DCMS has issued a call for views on the GDPR derogations. The consultation closes on 10 May 2017.
March 2017: GDPR includes specific requirements on obtaining and recording consent for handling personal data. The ICO has published draft consent guidance to help organisations understand the Regulations.
February 2017: Out-Law reports on comments made by Matt Hancock, Minister of State for Digital & Culture. Outlining plans to repeal parts of the DPA in preparation for GDPR, Hancock said that the Regulations are seen by the Government as 'a good piece of legislation' and that he does not 'foresee any great changes' being made to the law once UK has left the EU.
January 2017: The ICO has published an update setting out when GDPR guidance will be provided. More details in their blog.
October 2016: The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR). The ICO's blog comments on the implications and what they will do to support UK data controllers.
September 2016: GDPR changes what we need to tell people when we collect their personal data. Act Now examine the different 'privacy notice' requirements we'll need to consider.
July 2016: The ICO have published an overview of the GDPR, highlighting key themes and describing some of the new and different requirements.
June 2016: PWC blog on what the outcome of the EU Referendum will mean for GDPR implementation.
May 2016: GDPR published in the Official Journal. The Regulations are now in force and will apply from 25 May 2018.
April 2016: The GDPR (and Directive, for the police and criminal justice sector) adopted by the European Parliament.
March 2016: The Information Commissioner gives us 12 steps to prepare for GDPR.
The Information Compliance team are running regular lunchtime briefings and Q&A sessions to help staff get ready for GDPR.
No booking is required, and the team will be on hand to answer your data protection questions.
Time: 12-1pm (briefing will take around 30 mins from 12pm)
Location: Library Conference Room
March 22 (briefing plus Q&A)
April 12 (Q&A)
April 26 (briefing plus Q&A)
May 03 (Q&A)
May 24 (briefing plus Q&A) Please note this session will be taking place in Committee Room 2 in the Registry Building