GDPR news GDPR news

25 May 2018: GDPR day! We will now stop updating the news on this page, but will be adding latest news to our Data Protection homepage.

May 2018: The Data Protection Bill has now received Royal Assent and comes into force on Friday 25 May. See the Data Protection Act 2018.

April 2018: Our new GDPR online training package is now available to all UEA staff and research students. Go to Blackboard and look under 'My Organisations' to access the training.

March 2018: The ICO has published an Introduction to the Data Protection Bill.

February 2018: The European Commission have published advice on GDPR, including Rights for citizens and Rules for businesses and organisations.

January 2018: The ICO has updated its GDPR guidance to include a section on documentation, and what we need to include in our Records of Processing Activities. Documentation may not sound exciting, but this is a really important part of our preparations for GDPR, and getting it right will help our compliance with a number of other areas of the new law. If we haven't been in touch with your department to map your data processing yet, let us know.

December 2017: we await the final detail of how GDPR / the new Data Protection Act will affect research involving personal data, but in the meantime the Health Research Authority have published a suite of guidance to explain the legislation to those working in health and social care research.

December 2017: In search of some light Christmas reading? Look no further than the updated GDPR guidance from the ICO. Includes expanded guidance on the lawful bases for processing (if you haven't identified which ones apply to your data processing, start now), and updates on the guidance being produced by the Article 29 Working Party - most recent: Consent and Transparency. Should be enough to keep us going until Parliament's 3rd reading of the Data Protection Bill in January.

October 2017: The Article 29 Working Party have published new guidelines on 'personal data breach notification' and 'automated individual decision making and profiling'. 

October 2017: Jisc have compiled resources and advice to help universities prepare for GDPR.

October 2017: The ICO's blog confirms that the annual fee many organisations have to pay the ICO when registering as a data controller is going to continue after all. GDPR does not include this obligation, but a provision within the Digital Economy Act means it will remain a legal requirement in the UK. 

September 2017: The Data Protection Bill has been published. At 202 pages it's not going to be a quick read, but will explain how the Government intends GDPR to be implemented in the UK. More detail to come, once we've had time to digest it all...

August 2017: Universities may be able to reject requests to access or rectify personal data, or objections to the processing of such data (including the prevention of further processing of that data), where the data is processed for the purpose of scientific or historical research, under derogations to GDPR which are due to be introduced in the planned UK Data Protection Bill. The derogations are designed to prevent research projects being hampered by data protection barriers. 

August 2017: The Information Commissioner has launched a series of 'myth busting' blogs to help us sort the GDPR facts from fiction. Includes a post on why consent is not the 'silver bullet' for GDPR compliance.

August 2017: For a quick and easy to digest summary of the Data Protection Bill and its connection with GDPR, see Act Now's blog post. 

August 2017: The Department for Digital, Culture, Media & Sport has published the outcome of its consultation on GDPR (see April, below), including their statement of intent paper, 'A New Data Protection Bill: Our Planned Reforms'. The BBC and Guardian have commented on the news.

July 2017: The BBC reports on the impact that the implementation of GDPR will have on businesses in the UK, both in terms of the large fines that they could incur if they fail to comply, but also the benefits that come from being able to demonstrate respect for individual's privacy.

June 2017: Data Protection Reform was mentioned by Queen Elizabeth II in her speech at the opening of Parliament. The UK would retain its "world-class" data protection regime, the Queen said. The government reiterated its plans to implement GDPR, and will publish a Data Protection Bill (pdf) which aims to give citizens more control over their data.

May 2017: There is now one year until GDPR is implemented. To mark the occasion, the ICO has issued a range of guidance on how businesses can prepare for what the Information Commissioner, Elizabeth Denham, describes as "the biggest change to data protection law for a generation." 

April 2017: One of the more eye-catching aspects of GDPR is the potential for organisations to be issued with very large fines - up to 20m Euro or 4% of turnover. The Register reports on NCC Group's research on how recent ICO monetary penalties might have looked under GDPR. 

April 2017: the Article 29 Working Party have issued more GDPR guidance, this time on Data Protection Impact Assessments. See UEA guidance to find out how and when you'll need to complete a DPIA.

April 2017: Want to have your say on the changes the Government can make to GDPR? DCMS has issued a call for views on the GDPR derogations. The consultation closes on 10 May 2017.

March 2017: GDPR includes specific requirements on obtaining and recording consent for handling personal data. The ICO has published draft consent guidance to help organisations understand the Regulations.

February 2017: Out-Law reports on comments made by Matt Hancock, Minister of State for Digital & Culture. Outlining plans to repeal parts of the DPA in preparation for GDPR, Hancock said that the Regulations are seen by the Government as 'a good piece of legislation' and that he does not 'foresee any great changes' being made to the law once UK has left the EU. 

January 2017: The ICO has published an update setting out when GDPR guidance will be provided. More details in their blog.

December 2016: the Article 29 Working Party are starting to produce guidance on aspects of GDPR. First up, they've issued papers on the role of the Data Protection Officer and Data Portability.

October 2016: The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR). The ICO's blog comments on the implications and what they will do to support UK data controllers. 

September 2016: GDPR changes what we need to tell people when we collect their personal data. Act Now examine the different 'privacy notice' requirements we'll need to consider.   

July 2016: The ICO have published an overview of the GDPR, highlighting key themes and describing some of the new and different requirements. 

June 2016: The ICO have released a statement on the outcome of the EU referendum. The 2040 Information Law Blog comments on what might happen next, and what organisations need to do.

June 2016: PWC blog on what the outcome of the EU Referendum will mean for GDPR implementation.

May 2016: GDPR published in the Official Journal. The Regulations are now in force and will apply from 25 May 2018.

April 2016: The GDPR (and Directive, for the police and criminal justice sector) adopted by the European Parliament.

March 2016: The Information Commissioner gives us 12 steps to prepare for GDPR.

Update Update

We've moved most of the University's information on the GDPR to our main data protection page, but will continue to maintain this news page until summer 2018. 

Useful links Useful links