Internal, open access

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a new EU legal framework for data protection. The GDPR applies to all member states from the 25th May 2018.GDPR_LOGO 

The Regulation replaces the UK Data Protection Act 1998, and introduces greater protections for personal data and bring data protection law into the digital age. The GDPR has introduced some new obligations for organisations that collect, use, share and store personal data. 

A GDPR Working Group, chaired by the University Secretary, had been set up to look at the impact on University operations and oversee the implementation of any changes required. Membership includes senior leaders from IMPS; Governance; IT; Legal Services; Procurement; Research and Enterprise; Student Services; HR; Planning and Strategy; Campaigns and Supporter Engagement; Campaigns, Marketing, Communication and Engagement, Global Recruitment and Admissions, and Henley Business School.


What are the key changes that GDPR will bring?

Data Breach Reporting

Data Protection by Design and Default

Data Subject Rights






Myth Busting


Data Breach Reporting

The GDPR has introduced a mandatory requirement to notify the data regulator (the ICO) in the event of a breach of data that could have serious consequences for those whose data has been compromised. Where this is the case, the Data Protection Officer is responsible for notifying the ICO within 72 hours.

A new Information Security Incident Policy (PDF 210KB) has already been introduced. This includes the procedures that designated members of the University will take in the event of a breach, and also explains how any member of staff can report and incident to the IMPS office. It is vitally important that incidences are reported straight away so we can assess whether we need to report the matter, but also to ensure we do all we can to mitigate the risks to individuals affected. Never be afraid to report a problem, the worst thing to do is to do nothing. All staff are required to read the new Policy and know how and where to report a problem. This requirement extends to any suppliers, including software suppliers, that are providing services to us involving our data, so ensure that you also report any issues that a supplier may report to you.

Further information is available on the dedicated webpage - Data Breach Reporting.

Data Protection by Design and Default

The GDPR requires us to think about data protection and privacy from the very start of any new use of personal data. For example when procuring a new piece of data hosting software, embarking on a new project or when making a significant change to how we handle personal data.

Data protection by design includes assessing the purposes for the data collection and use, the security measures that will protect it, the retention and deletion needs, and how it can be accessed. It also requires us to have measures in place to protect privacy from the offset, for example to have settings within an App defaulted to the least privacy intrusive allowing the user to choose if they wish to change them. For some higher risk activities a Data Protection Impact Assessment will be required. If you are embarking on any of the above activities you can find out if a DPIA is needed and what you will need to do here.

Further information is available on the dedicated webpage - Data Protection by Design.

Data Subject Rights

The GDPR and Data Protection Act (2018) have introduced changes to Subject rights and introduces some new rights. Key changes are explained below and more detailed information is provided on the Data Subject Rights webpage.

The Right to Access

The existing right for a person to access data held about them remains, however we can no longer charge a fee (previously up to a maximum of £10) and we must now respond to a data access request within 1 month (previously 40 working days). If you receive a request from anyone exercising their right to access their data (these can also come via solicitors or legal representatives) it is vitally important that you notify the imps team straight away to ensure we can meet this deadline. Contact

The Right to Erasure

Commonly referred to as the 'right to be forgotten', the GDPR introduces a new right to have all personal data deleted or destroyed. The right is not absolute and only applies in certain circumstances, for example, where we cannot evidence a legitimate basis for retaining it, or where the data has not been used lawfully. These requests can be received verbally as well as in writing and we have 1 month to respond. The IMPS team will be responsible for responding to these requests so again, it is vitally important that you notify the imps team straight away if you think you have received a request for erasure. Contact

More information on additional rights can be found on the Information Commissioner's Office website here:


We need to ensure that people are aware of what we are doing with their data. This information should be communicated at the point of collection and can take various forms, such a web privacy notice, an application form, a research information sheet for participants, or a link to further information provided at the point staff or students join the organisation. Our core privacy notices are currently being updated. If you have a bespoke website for your department or project that does not currently link to the central University Privacy Notice (Policy), and you have not already been contacted by the IMPS team, please contact


The GDPR will introduce more robust requirements for collecting and using people's data with their consent. Under the GDPR there must be an 'affirmative act establishing a freely given, informed, and unambiguous indication' of the persons wishes, and we must be able to evidence this. In most circumstances this means we must have a separate opt-in option for any uses of data that we collect and use with the consent of the individual.

Many of our uses of personal data are NOT on a consent basis. Uses of personal data that are necessary for the performance of a staff or student contract are not with consent, but to deliver those services, for example the provision of teaching and learning, or employee administration.

We also have statutory or legal duties, powers, and obligations to collect and share some types of personal data which is for the purposes of meeting those obligations or performing a public task in the public interest. For example, sharing data with HESA or HMRC.

Our uses of personal data for research activities are also for a public task in the public interest (though consent to take part is still required to meet ethical considerations and will still be required for additional uses of data, such as being added to a participant registry or database).

Areas of activity that will involve consensual uses of personal data include marketing to prospective students, customers or visitors to the University and Alumni and fundraising. Core departments involved in these areas have already been consulted, however if you or your school or department are collecting data in any of these areas, including via web forms on locally managed webpages, or if you are involved in marketing of events, please contact for advice.

Find out more:

The Information Commissioners Office (ICO) have produced some guidance on consent here:

Records of data processing activities

We are required to keep a record of the data we hold, what we use it for, who it may be shared with, how we keep it secure and how long we keep if for.

A Data Inventory exercise has been undertaken to ensure we can meet this requirement. If you have been asked to conduct a data inventory and need advice please contact

How does this affect marketing activities?

Unsolicited marketing by email, SMS and Fax is already subject to rules imposed by the Privacy of Electronic Communications Regulations 2003 (PECR). These dictate that we must have consent to send unsolicited marketing. Unsolicited means information not specifically requested, and marketing covers a broad scope of any activities promoting events or services we offer through to any promotion of our aims and ideals. This will include activities involving prospecting, outreach and promotion to potential students or visitors and alumni and fundraising communications.

Consent to receive these types of communications must meet the GDPR consent standard.

If you are collecting data for one purpose and intend to also use it for marketing activities, you should have a means for the individual to separately opt in to that at the point of data collection ensure you have this consent. You must keep a record of when it was obtained, for what purposes, and should someone withdraw their consent (or unsubscribe from those communications) you must have procedures in place to do this promptly.

If you carry out any marketing activities and would like more information on current Data Protection requirements, you will find the link below provides you with detailed relevant information. Data Protection for Marketing

If you are currently working with lists of contacts used for these marketing purposes and are unsure if you have the necessary recorded consents, or are unsure if those consents are up to date, please contact

How does this affect Research activities?

Updated guidance for researchers has been produced by IMPS with input from the University Research Ethics Committee, Research Data team and Academic representatives and will be published here shortly once approved.


 - What about Brexit?

The GDPR will be enforceable law for member states from May 25th 2018 and the UK government have confirmed that the UK will need to comply despite Brexit. On the 14th September 2017 the UK government published a Data Protection Bill which become the new Data Protection Act (2018) that will exist alongside the GDPR and covers those areas of the GDPR that allowed for decisions to be made by individual member states, such as the powers of our own Data Protection Authority (the Information Commissioner's Office). The Data Protection Bill reached Royal Assent on the 23rd May and became the Data Protection Act 2018.

- Will there be GDPR training?

The GDPR will not change the core principles of the Data Protection Act which are already covered in our online training module that all staff must complete. This module will be updated to reference the correct legislation and is currently subject to review. Some of the new requirements will be covered by complying with Policies, including new Policies on Security Incident Reporting, and these will be communicated to all staff. Some of the new requirements will be met by adjusting internal processes such as those involving procurement of new services or suppliers or planning for new projects, and some may be covered within changes to internal template documents and contractual amendments. This is all work currently going on behind the scenes. If you are presented with a new requirement that relates to data protection, this is likely to be the reason.

Tailored training, advice and guidance for key departments will be available. Speak to your line manager if you have any concerns.

A new online training module is currently being sourced. Once in place it is expected that all staff will need to refresh their training in line with the new legislation.

JISC have published a webinar on GDPR which can be viewed via the following link:

JISC GDPR Webinar Sept 2017

Myth Busting

If you have any questions or concerns regarding the GDPR please contact IMPS. There is currently an enormous amount of information on the GDPR being published and circulated. Some of this is useful and informative. Some of this is misleading and incorrect.


Doing things with people's data without their informed explicit consent will be unlawful.

The Facts: Consent is only one of several lawful grounds for holding and using people's data. For example, any uses that are for the purposes of contractual arrangements (including student/employee contracts) are unlikely to be on consent grounds.


Suspected or confirmed breaches of the GDPR MUST be reported to the ICO within 72 hours.

The Facts: Mandatory reporting is required only where the breach poses a risk to the rights and freedoms of individuals, and in that instance, without undue delay, and where feasible, within 72 hours. For these reasons, contracts we have with others that hold data on our behalf will need to be updated to ensure we can meet these requirements.

The University Information Security Incident Response Procedures (PDF 354KB) detail how we review and assess incidents that may require notification.


Breaching the GDPR WILL result in huge fines.

The Facts: Breaches of the GDPR may result in enforcement action by the Information Commissioner which may amount to financial penalties which may be significant.

Maximum penalties increased from £500,000 under the Data Protection Act (1998), to 20 Million Euros or 4% of global turnover under the GDPR. Any fines issued will take into account the circumstances of the breach, the nature of the data involved, any mitigating actions and preventative measures we took, and will be proportionate.

The fines are significant and no doubt a driver for compliance, but more important is that we respect and look after the data we are entrusted with. If we do, we will not only avoid penalties, but also damage to our reputation.

When handling data, imagine it is yours. How would you want it to be protected?

Useful Resources

The House of Commons library have also published some further information on the GDPR and Brexit here.

The Information Commissioners Office have produced guidance that is available here.

More information will be updated here as it becomes available.

Please refer any queries to



Things to do now

Contact IMPS

Page navigation

See also

See the 'Top Ten Tips' for IT Security

Click here


Search Form

A-Z lists