An Introduction to the

General Data
Protection Regulation
General Data Protection Regulation
• Single set of rules for all EU nations
• Supersedes the Data Protection Act 1998
• Applies to international organisations that offer goods or
services to or monitor EU citizens
• Sits with newly passed UK Data Protection Act
• Requires Data Protection by Design & Default and
documented accountability
 Think about it…

• Are you familiar with the previous Data

Protection Act 1998?

• Do you know anything already about the GDPR?

• What are your expectations from this training?

Data protection principles
1. Personal data shall be:
a) processed lawfully, fairly and in a transparent manner;
b) collected for specified, explicit and legitimate purposes and not further processed
in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for
which they are processed;
d) accurate and, where necessary, kept up to date;
e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed;
f) processed in a manner that ensures appropriate security of the personal data.

2. The controller shall be responsible for and be able to demonstrate compliance

with the above. Accountability Principle
 Think about it…

• How might you demonstrate accountability with

the principles?

• What procedures does your team, Service,

School, Institute, or College have in place to
comply with any of the principles?
Personal data
Any information relating to a natural person who can be
identified, directly or indirectly, by that information
• Name
• Identification number
• Location data
• Online identifier
• Pseudonymised data
• Factors specific to physical, physiological, genetic, mental,
economic, cultural or social identity
Special categories of personal data
Personal data relating to:
• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic or biometric data processed for purpose of
identification
• health
• sex life or sexual orientation
 Think about it…

• Can you identify the different types of personal

data and special categories of personal data that
you work with or store?

• Include the data processed by your team,

Service, School, Institute, or College
What is processing?
Any operation or set of operations performed on personal
data or on sets of personal data
• collection, recording, receipt
• storage, backup, filing, retention
• display, scanning, review
• deletion, destruction
• editing, updating, modification
• copying, transmission, transfer, release
• loss, mislaying, misdirection
 When can you process personal data?
PERSONAL DATA
Consent
Necessary for performance of
contract
Necessary for compliance with
legal obligation
Protect vital interests of
individual
Necessary for performance of a
task in the public interest
Necessary for the purposes of
legitimate interests
SPECIAL CATEGORIES OF PD
Explicit consent
Required to comply with employment,
social security, or social protection
legislation
Protect vital interests of individual
In connection with legal proceedings and
administration of justice
Information already made public by data
subject
Necessary for medical reasons or public
interest in relation to public health
Necessary for archiving, scientific or historical
research, or statistical purposes
 Think about it…

• Based on the personal data you previously

identified, what are your legal bases for
processing those different types of data?
Conditions for consent
• Implied consent is unacceptable for processing

• Demonstrable by a statement or clear affirmative

action

• Freely given, specific, informed, unambiguous

• Consent must be obtained for every processing

scenario

• Consent can be withdrawn at any time

New and expanded rights
• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restriction
• Right to data portability
• Right to object
• Right to prevent automated processing, including
profiling
New and expanded rights
• Data subjects must be aware of their rights

• Responses must be provided within one calendar month

• Systems and procedures must be in place to adhere to

rights

• Documentation of adherence required

• If a right is exercised, we must notify any third party we’ve

shared the relevant data with
 Think about it…

• If someone exercised any one of their rights, how

would you or your team go about providing a
response?
• Do you know how to find and access the data?
• Can you erase it, correct it, or restrict it?
Privacy notices under GDPR
• Presented to data subject whenever new processing is
undertaken

• Consider a layered approach to notification

• Must explain:
o personal data being processed,
o purpose of processing,
o intended retention,
o subject rights,
o source of data,
o conditions of processing,
o intended sharing or international transfer
o existence of automated decision making, including profiling
 Think about it…

University staff have a number of responsibilities

that help the University to uphold and demonstrate
compliance with the GDPR.

The next few slides detail how we can meet these

responsibilities.
Your responsibilities: Data Protection by Design
• Maintain documentation and implement measures to demonstrate
compliance with principles
• Internal audits, reviews, training

• Document processing activities to ensure transparency

• Employ data minimisation and pseudonymisation

• Do you need the data?
Your responsibilities: Data Protection by Design
Data Protection Impact Assessments

• Description of intended processing and purposes

• Risk assessment and detail of risk avoidance measures
• Required when:
• using new technologies,
• profiling,
• surveilling,
• processing of special categories of personal data
• processing is likely to result in risk to rights and freedoms of
individuals
Your responsibilities: data sharing agreements
• Contract laying out multiple party commitments to personal data
• Required for sharing personal data with processors or any other
third parties outwith the University
• Ensures compliance with GDPR Principles and international or
third party transfer requirements
• Ensures you are working with a GDPR compliant processor
• Drafted by Contracts team within Finance
Your responsibilities: data security
• Appropriate and secure storage for paper and electronic
records
• Encrypt data on laptops, tablets, memory sticks, etc.
• Authorised access only, no password sharing
• Double-check your correspondence addresses and
attachments
• Do not share information with 3rd parties without data sharing
agreements
• Destroy records appropriately and securely
• Be aware of your cloud usage
 Think about it…
• How do you meet the requirements of these various
responsibilities?
• Do you know all of the personal data that you
process? Can you conduct an information audit within
your work area or with your team?
• Are you embarking on any projects or purchasing any
products that may require a DPIA?
• Do you share data with any third parties, and if so, do
you have appropriate agreements or contracts in
place? How can you demonstrate and ensure
appropriate data security?
Exemptions
Crime – we can share personal data in order to aid the prevention or detection of
crime or the apprehension and prosecution of offenders
Any requests from law enforcement should be handled by DP Office
Research and statistics– if you’re using personal data for research or statistical
purposes, you may be exempt from access, rectification, restriction and objection
rights
Exam scripts – personal data recorded by candidates during an exam are not
subject to right of access or privacy notice requirements
Confidential references – personal data in references created or given by GU are
not subject to right of access or privacy notice requirements

All exemptions must be determined and exercised by DP & FOI Office.

Personal data breaches
A breach of security leading to accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of or access to personal data
transmitted, stored or otherwise processed

Breaches must be reported immediately to the DP & FOI

Office, and to the ICO within 72 hours

Sanctions vary depending on severity and extent of breach and

organisation’s response

Max fines = €20 million or 4% of annual worldwide turnover

 Get in touch:
https://www.gla.ac.uk/myglasgow/dpfoioffice/
Email: dp@glasgow.ac.uk
Phone: 0141 330 3111

/glasgowuniversity @UofGlasgow

@UofGlasgow UofGlasgow
Search: University of Glasgow