Main Building sunrise

The General Data Protection Regulation (GDPR) is in force from 25 May 2018.  Along with the new Data Protection Act 2018, this is the most significant update to data protection law in two decades to meet today's information age.

 

GDPR strengthens individuals' rights and brings new requirements on organisations to demonstrate accountability, matched by new penalties for non-compliance. The UK Government has brought GDPR into UK law as part of a Data Protection Act 2018. We will publish updated guidance here.

The UofG online Introduction to GDPR training course is a requirement for all University of Glasgow staff and PGR students (login to Moodle required).

Roles and Responsibilities

University staff personal data storage

Paper and data storage (e.g. home drive, email etc.)

Responsibilities

  • Individual staff, and those with honorary or affiliate status

I/We will

Check personal data that I process and store and make sure that I still have a valid reason for retaining it, or if not, securely delete it.

So that

I/we demonstrate that the personal data I have is secure and I have a justifiable reason to process it under the new legislation.

I/we understand any gaps in compliance between current working practice and the new legislation, and will make realistic short, medium and long term plans to improve, addressing the highest risks first.

Support/Tools

  • UofG Information Asset Register questionnaire format
  • examples of daily work

 


Research Principal Investigator

Paper and data storage used for research data

Responsibilities

  • Principal Investigator

I/We will

Check personal data that I process and store to assess what changes apply to my research/ethics processes, and plan what I need to do to be compliant with the requirements of the new legislation.

Protect all personal data required by the terms of the funder/contract, and not delete while required. (For further advice contact your College Research Support Office.)

 

So that

I/we demonstrate that the personal data I have is secure and I have a justifiable reason to process it under the new legislation.

I/we understand any gaps in compliance between current working practice and the new legislation, and will make realistic short, medium and long term plans to improve, addressing the highest risks first.

Support/Tools

  • Medium term recommendation: process re-design project Research Ethics/Data Management, aligned to organisational information asset approach/questions

 


School / Institute / US Service Directorate

Paper and data storage (e.g. shared drives, and locally managed software applications)

Responsibilities

  • Head of School/Institute/US Directorate Accountable
  • Head of School/Institute/US Directorate Administration Responsible (and nominate staff to maintain their Information Asser Register)

I/We will

We will identify high-risk activity, and complete the Information Asset Register for data-sets we own.

So that

I/we demonstrate that the personal data I have is secure and I have a justifiable reason to process it under the new legislation.

I/we understand any gaps in compliance between current working practice and the new legislation, and will make realistic short, medium and long term plans to improve, addressing the highest risks first.

Support/Tools

 

 


UofG centrally provided IT applications

Centrally managed databases (e.g. MyCampus, Core HR, Infrastructure etc.)

Responsibilities

  • Service Owner Accountable  (the service owner is in the business unit, e.g. for Finance it is the Director of Finance)
  • Service Manager Responsible - (the IT manager for the service, who may be local or in IT Services)

I/We will

We will identify high-risk activity, and complete the Information Asset Register for data-sets in our area.

So that

I/we demonstrate that the personal data I have is secure and I have a justifiable reason to process it under the new legislation.

I/we understand any gaps in compliance between current working practice and the new legislation, and will make realistic short, medium and long term plans to improve, addressing the highest risks first.

Support/Tools