GDPR Compliance Checklist

GDPR Compliance Checklist

For Databases Storing Personal Data

The GDPR places responsibility on the University to control the processing of personal data within the University. The processing must meet the basic Principles of the GDPR. The following points should help determine whether your databases, planned, new, or existing, are subject to the GDPR and, if so, what precautions you must take.

Please work your way through all the points unless you conclude, after point 1, that the GDPR does not apply to your database. If you are unsure at any stage, you must consult the University's Data Protection Office to ensure compliance with the GDPR.

  • Check that you know what is meant by personal data and special category data. If your database does not contain such data then your database is not subject to the GDPR.
  • If your database is being used for administrative and management purposes related to students, including current and past students, and applicants and potential applicants, check that the content and reason for the database fits with the rules for processing student personal data;
  • If your database is being used for administrative and management purposes related to staff, including current and past staff, and applicants and potential applicants, check that the content and reason for the database fits with HR Policy and Procedures;
  • If your database is being used for research purposes:
    • Check that you know what is meant by, and the conditions relevant to, Research on Personal Data;
    • Check that you know and apply the additional rules relevant to Research on Special category Personal Data;
    • Check that you have obtained appropriate Consent from all the individuals who are the target of the research;
    • If the research data is to be transferred either (a) into the University or (b) outwith the University at any stage, ensure that an appropriate contract is in place that covers data protection requirements and responsibilities;
    • Check the Research and Innovation Services Code of Good Practice in Research, which provides recommendations on documenting results and storing primary data based on the requirements of several Research Councils, as it takes into account:
      • The legal and regulatory framework for particular types of research;
      • The terms and conditions imposed by external research sponsors;
      • The commercial, political or ethical sensitivity of particular types of research, or any research for particular external sponsors.
    • For further guidance please see our pages on Research and the Research Checklist.
  • Is your database non-research related and about individuals from outwith the University?
    • Check that, if the data is being supplied from outwith the University by another organisation or company, that either (a) an appropriate contract covering data protection requirements and responsibilities is in place, or (b) there is a legislative requirement upon the University;
    • Check that a suitable consent statement is specified on any forms that are used to collect the personal data from the individuals;
    • Consider using the Information Padlock Symbol on forms and literature when appropriate.
  • Check the conditions if you need to transfer personal data elsewhere within the University, and/or outwith the University, and/or outwith the UK;
  • Check how long the personal data in the database must be retained to fulfill the purpose for which it was originally collected. There are many determining factors such as legal requirements as well as legitimate business practices that will influence the decision on the period of time for the retention of records containing personal data. Ensure that when the database is not longer required, its contents are either (a) retained in line with the University's Records Centre guidelines, or (b) are securely destroyed in line with the University's IT Equipment Disposal Policy and not retained on a computer's disk storage.

If the purpose or reason for creating your database does not fit with any of the above, you must immediately consult the Data Protection and Freedom of Information Office for advice and to ensure compliance with the GDPR.