General Data Protection Regulation

The General Data Protection Regulation was adopted by the EU in April 2016 and will come into force in May 2018.Although there is a two-year lead-in period, it is vital that universities use all of this time to prepare as the Regulation introduces some significant changes.

The Regulation has an extended territorial reach.It applies to all organisations that process EU residents’ personal data – regardless of where those organisations are based.The location of the person whose data is being controlled or processed is now as relevant as the location of the organisation controlling or processing their data.

The Regulation allows organisations to deal with only one supervisory authority.For EU based organisations this will be their home state and for other organisations the authority in the EU state where they do most business.While the UK remains within the EU, the Information Commissioner’s Office will be the relevant supervisory authority for British universities.

Non-compliance exposes organisations to a two tier system of significantly increased penalties.Lower tier penalties, defined as fines up to 2% of prior year worldwide turnover or €10 million (whichever is greater), may be incurred for breaches such as: a failure to meet the Regulation’s privacy by design provisions; inadequate contracts between data controllers and data processors; or poor record keeping.Upper tier penalties of up to the greater of 4% of worldwide turnover or €20 million can be incurred for poor information security practices; failure to obtain proper consent; or unlawful data transfers to countries outside of the European Economic Area.