The General Data Protection Regulation becomes law on Friday 25 May 2018.

Here’s what you need to do now to make sure that you are working with personal data in a way that is compliant with GDPR:

1. Find out more about GDPR by watching the GDPR podcast. An online learning module about GDPR is also on its way, so look out for further publicity about this soon.
2. Review the University’s Privacy Notices. If you work with the personal data of University staff or students, please review the privacy notices for these groups. If you are processing the personal information of individuals outside the University, you may need to direct them to the relevant Privacy Notice. Please read the Privacy Notice Procedure on the GDPR Workspace. For more assistance contact the Information Compliance team.
3. If you hold personal data and have not yet been asked to complete an Information Asset Register return, please read the Information Asset Register procedure on the GDPR Workspace and if necessary complete the return spreadsheet.
4. If you share personal data with organisations outside the University, these data sharing or processing agreements need updating to reflect more stringent requirements under GDPR. Please contact the Information Compliance team if you need help with reviewing or deciding whether you need to set up an agreement.
5. Ensure you know how to identify a data breach and how to report it. Under GDPR, we are obliged to report data breaches to the Information Commissioner’s Office within 72 hours of becoming aware of them and there are likely to be penalties for failing to report breaches. Please read the Personal Data Breach procedure on the GDPR Workspace and know where it is should you need to refer to it in the future.

For more information and to view a library of GDPR relevant information, visit the GDPR Workspace.