• What is the General Data Protection Regulation (GDPR)?

    The GDPR will supersede national laws including the UK Data Protection Act, unifying data protection and easing the flow of personal data across the 28 EU member states. From the 25th May 2018 all organisations that process the personally identifiable information of EU residents will be required to abide by a number of provisions or face significant penalties.

    Why is it important to Oxford Brookes?

    As a public body the new GDPR will increase the obligations of Oxford Brookes University under the current Data Protection Act and will introduce substantial penalties (2 – 4% of turnover) for violations of the regulation, including fines for administrative errors such as incorrect recording and reporting.

    Key points of the GDPR that are relevant to Oxford Brookes University:

  • The regulations require a greater clarity of what personal data we hold, where it came from and who it has been shared with.

    Our current privacy notices may not be GDPR-compliant. The GDPR requires that privacy notices clearly inform data subjects of the legal basis for processing the information, data retention periods and their rights under the GDPR (see below).

    The new regulation sets in law a number of rights that data subjects must have. These rights include subject access, rectification, erasure (‘the right to be forgotten’) and the right to prevent automated decision-making and profiling.

    Under the GDPR the time allowed to comply with a subject access request will reduce from 40 to 30 days. There will also be additional information that needs to be provided to anyone making a subject access request.

    The GDPR firmly places the responsibility of demonstrating consent has been given to the data controller.

    There is an increased obligation under the GDPR for organisations to report personal data breaches to the Information Commissioner’s Office (ICO).

    There will be an increased obligation to conduct privacy impact assessments before implementing certain new business processes. The GDPR builds on the concept of ‘privacy by design’ and requires data protection to be linked to risk management and project management processes at the earliest stage.

    The GDPR stipulates that all public bodies must appoint, or nominate, an organisational Data Protection Officer that takes responsibility for data protection compliance and has the knowledge, support and authority to do so.

  • Next steps

    a. Plan and implement a University wide information audit to review and document what personal data faculties and departments hold.

    b. Review privacy notices in use across Brookes and improve where necessary.

    c. Review subject access request and data breach reporting policies and procedures.

    d. Plan and carry out a data protection compliance review.

    e. Determine appropriate governance structure including nomination of a data protection officer.