GDPR FAQs

The General Data Protection Regulation, or GDPR, is the UK regulation which has been based on the EU GDPR which has harmonised data protection laws across the EU.

The GDPR will apply to any organisation processing the personal data of individuals living in the UK, regardless of whether or not that organisation is physically based in the UK.

As with any law, failure to comply with the GDPR could have serious repercussions for St George’s; not only could we incur significant monetary penalties, but it could damage our reputation and affect our ability to carry out our business.

The GDPR came into force originally as the EU GDPR on 25 May 2018 but is now known as the UK GDPR which came into force when the UK formally left the EU.

 

The UK GDPR has superseded the Data Protection Act 1998 in the UK.

A new UK Data Protection Bill, which has become the Data Protection Act 2018, introduced GDPR into UK law and the 2018 Bill provides clarification for some of the terms that appear in the GDPR. Therefore, the UK GDPR should be read alongside the Data Protection Act 2018.

The UK currently has an adequacy agreement with the EU which ensures the continued flow of personal data between us and the other EU member states.

The GDPR introduces some new requirements and also updates a few existing ones. Areas where changes appear include:

• the rights of the individual, eg a new ‘right to be forgotten’ as well as changes to how data protection requests must be processed

• consent, eg this must be ‘opt in’ rather than ‘opt out’

• sensitive personal data, which will be referred to as sensitive category data and will now include genetic and biometric data

• data breaches, which must be reported within 72 hours and fines will be much larger

• lawful basis for any processing must be documented and included in the privacy notice

• privacy notices have a checklist of information that must be included

• data privacy impact assessments will be mandatory in certain circumstances

• public authorities, which includes universities, must have a designated data protection officer

• special protections for children’s personal data will be introduced and the age of consent for processing of personal data is set at 16 (but may be lowered to 13 in the UK)

• data processors have increased responsibility and can now be fined by the ICO.

More detailed information on these areas can be found in the ‘Key definitions and changes’ FAQs on this page.

The new requirements of the GDPR will result in some changes in the way the university processes personal data. This may mean that the policies and procedures your department has for managing personal data will be amended in some way, or that you will end up with some new policies and procedures to follow. For example, if your team uses consent forms that currently have ‘opt-out’ boxes these will need to change to ‘opt-in’. The GDPR working group will issue advice and guidance on these requirements.

For health and social care research, the new regulation is not very different from the current requirements. The Health Research Authority (HRA), the UK health and social care research regulator, has stated it does not intend on adding to the existing safeguards. Current guidelines and best practice, if followed, would meet the requirements of the GDPR within a research setting. In addition, research, especially within healthcare, will have special exemptions/derogations which have yet to be fully outlined by the UK government.

Most research studies that have involved use of confidential patient/participant information have sought consent from the participants. This meets ethical expectations to promote the autonomy and privacy of research participants and avoids a breach of the common law duty of confidentiality. This is not changing with the introduction of the GDPR. However, for GDPR, the legal basis for processing data for health and social care research is not ‘consent’. GDPR requires each activity of processing data to have a legal basis under this legislation, in addition to the common law basis. For health and social care research, the legal basis is determined by the type of organisation:

• For universities, NHS organisations or research councils, the processing of personal data for research will be a ‘task in the public interest’.

• For commercial companies (engaging in research) and charitable research organisations, the processing of personal data for research will be undertaken within ‘legitimate interests’.

Further guidance on the management of research data will be disseminated by the JRES in due course. General information can be found on the HRA website. 

St George’s has produced awareness training on data protection which is mandatory for all staff to complete.

More information can be found in the section below (‘Key definitions and changes’) and also on the Information Commissioner’s Office (ICO) website.

A privacy notice is a statement detailing what personal data someone collects about you, why they collect it and what they do with it. Transparency in the use of personal data has always been an important aspect of the Data Protection Act and it continues to be so with the GDPR. However, the GDPR now sets out a ‘checklist’ of the information that must be included within a privacy notice, as well as indicating how and when the privacy notice must be made available to the individual whose personal data is being collected.

St George’s will be providing more comprehensive guidance on how and when to draft a privacy notice in due course.

The Data Protection Act dictates that processing of personal data must be ‘lawful’ and must meet one of the criteria listed in the Act.

The same applies with the GDPR. So if you are processing personal data then you must meet one of the conditions laid out in the regulation, these being:

a)      the data subject has given their consent to this processing

b)      the processing is necessary for the performance of a contract with the data subject

c)       the processing is necessary for compliance with a legal obligation

d)      the processing is necessary in order to protect the vital interests of the data subject or another living individual

e)      the processing is necessary for the performance of a task carried out in the public interest

f)        the processing is necessary or the legitimate interests of the data controller.

The GDPR places an additional requirement that you must be able to demonstrate the lawful basis for all of your data processing activities, and that these lawful bases be made known to the individual whose personal data is being processed, ie via the relevant privacy notice.

The GDPR also stipulates that public authorities (including universities) may only rely on using the final condition, ‘legitimate interests’, where it does not apply to one of our core tasks, ie education and research.

Consent should only really be relied on where no other option is available as consent can always be withdrawn by the individual.

Under the GDPR, the mechanisms used for obtaining consent must adhere to certain rules. For example, consent must be ‘explicit’ meaning it must be absolutely clear to the individual what it is they are consenting to; consent must involve an affirmative action by using opt-in (not opt-out) boxes and should not involve the use of pre-ticked boxes; consent for different uses of personal data should be dealt with as separate indications of consent, not grouped together under a single tick box. It will be important to review your consent mechanisms every so often, and keep records of when/how you change your consent forms.

You will also need to pay special attention to the type of language you use when obtaining consent from children. Any explanation of what you will be doing with children’s personal data must be phrased in a way that will be easily understandable to them. Where a child is below the relevant age of consent you will need to include parental (or guardian) consent. The GDPR sets the age of consent as 16, but the regulation provides scope for member states to lower this as far as 13. It is possible that the new Data Protection Bill will set the age of consent for data protection purposes in the UK as 13. 

More detailed guidance on drafting a consent form under GDPR can be found on the ICO’s website.

There will be a new duty to report a data breach, whether accidental or deliberate, within 72 hours of becoming aware of it.

The GDPR also sees a significant increase in the size of the fines that the ICO will be able to impose. Under the Data Protection Act, the maximum fine the ICO can levy is £17.5M or 4% of global turnover (whichever is higher).

So every member of the university will need to make sure they are aware of their responsibilities to help prevent breaches, and also of the importance of reporting a breach as soon as they are aware that there has been one.

St George’s will be producing a policy on the process for reporting breaches.

Individuals have the right to request a copy of the personal data an organisation holds on them. The Data Protection Act allows 1 month for complying with such requests. This is reduced to one month under the GDPR. The GDPR also removes the ability to charge an individual for providing them with a copy of their information.

The GDPR introduces some new rights for the individual, such as the right to erasure (also referred to as the right to be forgotten) and the right of data portability. The right to erasure allows an individual to request that their personal data be deleted, so long as there isn’t a compelling reason to continue processing it, eg that there isn’t a legal obligation for an organisation to retain the personal data. The right of data portability means that an individual has the right to request a copy of their personal data in a format that will allow them to reuse it, eg if they want to transfer their data to a different service provider or to use it for a completely different purpose.

Further clarification of what the ‘rights of the individual’ are can be found on the ICO website.