What's changed


The GDPR has been introduced to:

  • better reflect the data protection challenges arising in the digital age
  • modernise data protection arrangements to make organisations more accountable
  • give individuals greater control over their own personal data
  • address globalisation and harmonise data protection practice across Europe

What’s new

The GDPR is similar to the 1998 Act and introduces many changes to data protection practices. These require UofG to review and revise our approach to data handling. Key changes include: 

  • tougher financial penalties - fines of up to €20 million
  • strong rules around record keeping and new financial penalties for not being able to evidence accountability for our processes – fines of up to €10 million
  • a more stringent data breach notification process only 72 hours from detection to notify a data breach to the ICO
  • a broader definition of personal data
  • a new approach to consent, freely given positive opt-in and easy to withdraw
  • new and expanded rights including a right to erasure and data portability
  • a reduced timeframe for handling Subject Access Requests - from 40 days down to 1 month, and the DPA £10 fee is no longer applicable
  • mandatory privacy impact assessments for new services/projects where risks are high
  • more restrictive rules around the use of child data
  • revised processes for international data transfers
  • a requirement for large organisations to appoint a Data Protection Officer.

Personal data

Any information relating to a data subject who can be identified, directly or indirectly by that information including: 

  • Name
  • Staff or student number
  • Location data
  • Online identifier such as IP addresses or cookies
  • Pseudonymised data
  • Any factors specific to physical, physiological, genetic, mental, economic, cultural or social identity

Special categories of personal data 

This used to be called “sensitive personal data” under DPA 1998, and includes:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • health
  • the processing of genetic data, biometric data for the purpose of uniquely identifying a person
  • sex life or sexual orientation

Criminal convictions or alleged offenses

In a shift from the previous Data Protection Act, this is not classed as “sensitive personal data’, but is covered in the GDPR Article 10 and is treated by the UofG as high-risk personal information.