GDPR Compliance Checklist

GDPR Compliance Checklist

For Databases Storing Personal Data

The GDPR places responsibility on the University to control the processing of personal data within the University. The processing must meet the basic Principles of the GDPR. The following points should help determine whether your databases, planned or new or existing, are subject to the GDPR and, if so, what precautions you must take.

Please work your way through all the points unless you conclude, after point 1, that the GDPR does not apply to your database. If you are unsure at any stage, you must consult the University's Data Protection Officer to ensure compliance with the GDPR. The A to Z Guide expands on each of the issues mentioned in the following check list.

  • Check that you know what is meant by personal data and special category personal data. If your database does not contain such data then your database is not subject to the GDPR.
  • If your database is being used for administrative and management purposes related to students - including current & past students, and applicants & potential applicants - check the content and reason for the database fits with the rules for processing student personal data [from the Fees and General Information for Students section of the 2005 University Calendar];
  • If your database is being used for administrative and management purposes related to staff - including current & past staff, and applicants & potential applicants - check that the content & reason for the database fits with HR Policy & Procedures;
  • If your database is being used for research purposes?
    • Check that you know what is meant by, and the conditions relevant to, Research on Personal Data;
    • Check that you know and apply the additional rules relevant to Research on Special cateory Personal Data;
    • Check that you have obtained appropriate Consent from all the individuals who are the target of the research;
    • If the research data is to be transferred either (a) into the University or (b) outwith the University at any stage, ensure that an appropriate contract, approved by Research and Enterprise, is in place that covers data protection requirements & responsibilities;
    • Check the Research and Enterprise publication Good Practice in Research, which provides recommendations on documenting results and storing primary data based on the requirements of several Research Councils, as it takes into account:
      • The legal and regulatory framework for particular types of research;
      • The terms and conditions imposed by external research sponsors;
      • The commercial, political or ethical sensitivity of particular types of research, or any research for particular external sponsors.
  • If the purpose or reason for creating your database does not fit any of the above Sections 2-4, you must immediately consult the Data Protection and Freedom of Information Office to ensure compliance with the GDPR.
  • Is your database non-research related and about individuals from outwiththe University?
    • Check that, if the data is being supplied from outwith the University by another organisation or company, that either (a) an appropriate contract covering data protection requirements & responsibilities is in place, or (b) there is a legislative requirement upon the University;
    • Check that a suitable consent statement is specified on any forms that are used to collect the personal data from the individuals.
    • Consider using the Information Padlock Symbol on forms and literature when appropriate.
  • Check the conditions if you need to transfer personal data elsewhere within the University, and/or outwith the University, and/or outwith the UK;
  • Check that your arrangements meet the security requirements of the GDPR;
  • Check how long the personal data in the database must be retained to fulfill the purpose for which it was originally collected. There are many determining factors such as legal requirements as well as legitimate business practices that will influence the decision on the period of time for the retention of records containing personal data. Ensure that, when the database is not longer required, its contents are either (a) retained in line with the University's Records Centre guidelines, or (b) are securely destroyed in line with the University's Computer Equipment Disposal Policy and not retained on a computer's disk storage.