The law protecting personal data is changing from next year, the Data Protection Bill (2017) will see a new Act introduced to replace the current Data Protection Act (1998) aimed at modernising the data protection laws in the UK to make them fit for purpose in the digital age.
A significant element of the Data Protection Bill will be the adoption of the European Unions’ General Data Protection Regulation (GDPR) standards – GDPR comes into force in the UK on 25 May 2018. The Government has confirmed that the UK’s decision to leave the EU will not affect the UK adoption of the GDPR.
We all – staff and students – have a duty of confidentiality and a responsibility to safeguard University information and data, the changes introduced in the GDPR will have significant implications to all European entities.
The University has already started the compliance process, putting in place a working group with the following work-stream leads:
Working Group Chair – Professor Simon Cox
Legal – Barbara Halliday
Data Governance – Sarah Howes
Security/Technical – Kevin Shaw
Students – Sara McDonald
Research – Isobel Stark and Prof John Holloway
Faculties – John Kness, Thom Bull
Communication –Simon Peatfield and Ayala Gordon
Enterprise Resource Platforms (Staff) – Christine Trotter (HR), Alan Nicolas (Finance), Amanda Caspari (Estates and Facilities)
The membership of these workstreams is drawn from across the University.
There is still much work to be done to prepare for the introduction of GDPR and further communication will be circulated as we receive clarification from the UK Government on the impact of GDPR to universities. The University has additionally engaged the services of PwC to assess our readiness for GDPR.
Professor Simon Cox (Chief Information Officer) commented:
“The University takes cyber-security and data protection very seriously and is committed to protecting personal data. The adoption of GDPR will be a complex project involving many areas of the University. GDPR also puts into law a number of sound principles which will underpin the systems we develop as a community through the ten year plan.”
Recent high profile cyber-attacks and losses of personal data have seen companies such as Talk Talk fined around £400,000. Under GDPR these fines will increase significantly with the ceiling lifted from the current £500,000 up to £17 million or 4% of global turnover for significant breaches, underlining the need to be compliant.
Further communication will take place over the coming months.
