Introduction

Up until 24 May 2018, the data protection regime in the UK is governed by the EU Data Protection Directive (95/46/EC) which was implemented in the UK in the form of the Data Protection Act 1998.

To address some difficulties arising under the Directive, the EU created a new data protection regime—the General Data Protection Regulation (GDPR). The GDPR replaces the Directive from 25 May 2018.

The GDPR is intended to harmonise data protection law across the EU, by removing the need for national implementation. In theory, this will mean that organisations face more consistent data protection compliance requirements across the EU (although there are several areas that remain unharmonised – and in these areas, compliance requirements may continue to vary from one Member State to the next).

The GDPR is also designed to address technological and societal changes that have taken place over the last 20 years by adopting a technology-neutral approach to regulation.

The GDPR was published on 4 May 2016, marking the end of a four-year legislative process. The GDPR entered into force on 24 May 2016. However, enforcement of the GDPR will not begin until 25 May 2018.

The GDPR is important for a number of reasons including the following ones:

1. it is very wide-ranging, and will impact almost every organisation that is based in the EU, as well as every organisation that does business in the EU, even if based outside the EU;

2. it substantially increases the maximum penalties for non-compliance to the greater of €20 million, or 4% of an organisation’s worldwide turnover;

3. it raises the bar for compliance by requiring greater openness and transparency about how organisations process personal data and it imposes tighter limits on the use of personal data; it also gives individuals more powerful rights with respect to their personal data.

The GDPR contains elements from the previous legislation (i.e. the Data Protection Act 1998), for example, the Data Protection Principles of good practice and the data subject's right to have access to his or her personal data and to correct it where inaccurate. However the GDPR imposes additional requirements.

The GDPR continues to impose stringent requirements with which the College, as an organisation holding personal data, must comply. All processing of personal data must be fair and lawful, accurate and up-to-date, and the data must be adequate, relevant, not excessive and be held for no longer than is necessary. It is mandatory that appropriate technical and procedural measures are taken to cover the security of personal information. This relates, among other things, to prevention of unauthorised or unlawful processing or disclosure of data, as well as accidental loss or destruction of, or damage to, personal data. Special conditions apply to sending personal data outside the European Economic Area (EEA), including transmitting it via the Internet.

Data held in manual or paper form (as part of a relevant filing system) is covered by the GDPR and therefore processing must comply with the GDPR.

The College's Data Protection Policy and Codes of Practice detail the rights and responsibilities of staff, students and other authorised individuals who process information on behalf of the College. If you have any further queries please contact your departmental/divisional Data Protection Co-ordinator or the College’s Data Protection Officer.

Security

Proper security measures must be applied for all methods of holding or displaying personal data and appropriate measures taken to prevent loss, destruction or corruption of data. The following general advice is given:

• Computers that can access personal data should not be left unattended when logged on and the screen should always be cleared of personal data after use
• Staff who have contact with personal data must take care that this is kept away from people not entitled to see it
• Printouts should be stored securely when not in use and shredded when no longer required
• Passwords should be changed regularly and not disclosed to unauthorised persons. Staff who are processing personal data locally should ensure that USB flash drives containing personal data are securely encrypted, removed from their machine and stored securely when not in use and are erased and reformatted when no longer required, and that personal data held on permanent hard disk have adequate protection, e.g. password access.
• Care should be taken to ensure the security of personal data, in either electronic or paper format, when the data is removed from the College, e.g. for the purpose of working at home, or for an external meeting.
• Staff and students should consult the College’s ICT “Be Secure” webpages for more detailed information as to how electronic data can be protected and processed securely.