GDPR is coming...

GDPR is coming...

Issued: Mon, 08 Jan 2018 14:50:00 GMT

The General Data Protection Regulation (GDPR) is coming all too soon to a College/Service near you!

To help colleagues manage the transition to the new data protection regime and ensure best practice in the management of personal data, a suite of guidance and templates will be available from the beginning of next month. This is part of the University-wide programme in Colleges and Services covering all personal data, regardless of format or location. 

However, in the meantime, have a think about the personal data you hold and manage and if it is no longer required then delete, destroy and minimise. In the new world of the GDPR and processing personal data, less really is best!

Data Minimisation – Why less is best!

The laws on data protection are changing and from May 25 2018, the UK, along with the rest of the European Economic Area, will be implementing the General Data Protection Regulation (GDPR). The GDPR will be the biggest change in data protection law for 20 years and will mean a transformation to how the University manages personal data.

One of the Principles of the GDPR is the concept of data minimisation which means ensuring that all personal data is limited to what is adequate, relevant and necessary to the purpose or requirement for processing. So how can personal data be minimised? The easiest way is to ask yourself a series of questions:

  • The first and most obvious is, do I actually need to collect and process personal data at all?
  • Can my task or purpose be served by using data that does not allow an individual to be identified/identifiable? If the answer is yes, the GDPR and its obligations simply do not apply and the risk of personal data breaches and falling foul of the GDPR is removed.
  • If personal data are/have been required, does this data still need to be retained? Has it served its purpose, is it a duplicate copy or is it being kept “just in case”? Have you inherited filing cabinets of unknown records that you have never looked at (or have lost the key to!) or have you been given ownership of unidentified data on a communal shared drive when colleagues have left the University? If the data is not used and you cannot justify the retention, then securely and confidentially destroy it.
  • Do you have an approved records retention schedule? If so, use it and delete and destroy records accordingly.

The GDPR will bring a whole host of additional responsibilities and obligations on the University, extra rights for us all as data subjects as well as new and potentially debilitating financial penalties up to a maximum of 20,000,000 Euros for the University. With such significant financial and reputational stakes, it is imperative that we have appropriate protections and processes in place when dealing with personal data.

For further information on data protection, data minimisation, personal data breaches or records and information management please see