Internal, open access

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a new EU legal framework for data protection. The GDPR will apply to all member states from the 25th May 2018.GDPR_LOGO 

The Regulation will replace our current UK Data Protection Act 1998, introduce greater protections for personal data and bring data protection law into the digital age. The GDPR introduces some new obligations for organisations that collect, use, share and store personal data. 

A GDPR Working Group, chaired by the University Secretary, has been set up to look at the impact on University operations and oversee the implementation of any changes required. Current membership includes senior leaders from IMPS; Governance; IT; Legal Services; Procurement; Research and Enterprise; Student Services; HR; Planning and Strategy; Campaigns and Supporter Engagement; Campaigns, Marketing, Communication and Engagement, and Henley Business School.

What are the key changes that GDPR will bring?

1. Consent

The GDPR will introduce more robust requirements for collecting and using people's data with their consent. Under the GDPR there must be an 'affirmative act establishing a freely given, informed, and unambiguous indication' of the persons wishes, and we must be able to evidence this.

What does this really mean though...?

It means assuming someone has consented if they do not indicate otherwise (or opt out) will no longer be acceptable. Pre ticked boxes will not meet the necessary thresholds. It means we need to be really clear when we explain to people what we are going to do with their data, for example, when conducting marketing surveys or research studies, and ensure that they 'opt in' to that. 'Freely given' means we cannot make non essential uses of people's data (further marketing or contact about other things we are doing) a condition of providing another service that we offer. We must also keep records of people's preferences, including if they later withdraw consent.

2. Records of data processing activities

To comply with the GDPR we need to have a clear picture of what data we hold, where it is, what we use it for, who we may share it with, and how long we keep it.


An exercise is underway and data inventories have already been issued to some areas of the University to get a fresh look at what we hold. If you have been asked to conduct a data inventory and need advice please contact

3. Notification of high risk data security Incidents

The GDPR will introduce a mandatory requirement to notify the Information Commissioner's Office (the UK data regulator) in the event of a breach of data that could have serious consequences for those whose data has been compromised. Where this is the case, these must be reported to the regulator within 72 hours.

Sounds tough, how are we going to do that..?

A new Information Security Incident Policy has already been introduced. This includes the procedures that key members of the University will take in the event of a breach, and also explains how any member of staff can report an incident. You can find this on our policy pages. It is now even more important that all incidences are reported quickly so we can manage the situation effectively. Never be afraid to report an issue, mistakes are easy to do and very often it is not half as bad as you think it might be! The worst action to take is to do nothing and hope for the best. Reporting an incident also means we can look at what went wrong and whether anything can be done to prevent reoccurrences. We can also support you in remedying and mitigating the impact as far as possible.

4. Data Protection by Design and Default

The GDPR also requires us to think about data protection and privacy from the very offset of anything we plan to do with people's data, for example when procuring or designing new tools for managing data, and embarking on new uses for data. This is particularly the case when any new initiative, project, or data hosting tool could pose a high risk to privacy or data security. The Data Protection Officer must be involved in cases where this applies. Measures we can take to evidence Data Protection by Design would include conducting privacy impact assessments to identify any risks early on, designing processes that take into account privacy, and documenting measures taken to mitigate against any risks that remain. Another measure would be performing due diligence checks on any third parties that may hold data on our behalf to ensure they have enough technical security and contractual terms that cover data protection.

How does this impact me exactly..?

If you are embarking on a new project or looking to use a fantastic piece of new software your proposal will likely be referred to the University Data Protection (IMPS) Officer. This may be via several routes which currently could include your IT Business Partner, Procurement, Project or legal teams. In some cases this will go on behind the scenes, but it is likely we may need to ask some more questions to ensure we are meeting these requirements. You should factor in adequate time to allow for these assessments. The sooner the IMPS team are involved, the sooner you can get up and running! 

What are the requirements for marketing?

Unsolicited marketing by email, SMS and fax is subject to rules imposed by the Privacy of Electronic Communications Regulations 2003. We are already required to have consent to sent unsolicited marketing, which will include fundraising communications, via these channels. These regulations are also soon to be updated and will be covered by the new E-Privacy Regulation. The E-Privacy Regulation will bring the standard of consent in line with that of the GDPR. Opt Out approaches, silence, inactivity or un ticked or pre ticked boxes will not meet the GDPR consent standard (and arguably, that someone didn't opt out only ever indicated 'I have no objection' and not 'I consent'). Some different rules apply  where contact details were obtained as part of a sale. More information specifically for marketers and fundraising will be available soon. In the meantime, contact imps for advice or see the ICO pages for more information, here.


 - What about Brexit?

The GDPR will be enforceable law for member states from May 25th 2018 and the UK government have confirmed that the UK will need to comply despite Brexit. On the 14th September 2017 the UK government published a Data Protection Bill that will exist alongside the GDPR and covers those areas of the GDPR that allowed for decisions to be made by individual member states, such as the powers of our own Data Protection Authority (the Information Commissioner's Office).

- Will there be GDPR training?

The GDPR will not change the core principles of the current Data Protection Act which are already covered in our online training module that all staff must complete. This module will be updated to reference the correct legislation and is currently subject to review. Some of the new requirements will be covered by complying with Policies, including new Policies on Security Incident Reporting, and these will be communicated to all staff. Some of the new requirements will be met by adjusting internal processes such as those involving procurement of new services or suppliers or planning for new projects, and some may be covered within changes to internal template documents and contractual amendments. This is all work currently going on behind the scenes. If you are presented with a new requirement that relates to data protection, this is likely to be the reason.

Tailored training, advice and guidance for key departments will be available. Speak to your line manager if you have any concerns.

JISC have published a webinar on GDPR which can be viewed via the following link:

JISC GDPR Webinar Sept 2017


Myth Busting

If you have any questions or concerns regarding the GDPR please contact IMPS. There is currently an enormous amount of information on the GDPR being published and circulated. Some of this is useful and informative. Some of this is misleading and incorrect.


Doing things with people's data without their informed explicit consent will be unlawful.

The Facts: Consent is only one of several lawful grounds for holding and using people's data. For example, any uses that are for the purposes of contractual arrangements (including student/employee contracts) are unlikely to be on consent grounds.


Suspected or confirmed breaches of the GDPR MUST be reported to the ICO within 72 hours.

The Facts: Mandatory reporting is required only where the breach poses a risk to the rights and freedoms of individuals, and in that instance, without undue delay, and where feasible, within 72 hours. For these reasons, contracts we have with others that hold data on our behalf will need to be updated to ensure we can meet these requirements.

The University Security Incident Response Procedures detail how we review and assess incidents that may require notification.


Breaching the GDPR WILL result in huge fines.

The Facts: Breaches of the GDPR may result in enforcement action by the Information Commissioner which may amount to financial penalties which may be significant.

Maximum penalties will increase from £500,000 under the current Data Protection Act, to 20 Million Euros or 4% of global turnover under the GDPR. Any fines issued will take into account the circumstances of the breach, the nature of the data involved, any mitigating actions and preventative measures we took, and will be proportionate.

The fines are significant and no doubt a driver for compliance, but more important is that we respect and look after the data we are entrusted with. If we do, we will not only avoid penalties, but also damage to our reputation.

When handling data, imagine it is yours. How would you want it to be protected?

Useful Resources

The House of Commons library have also published some further information on the GDPR and Brexit here.

The Information Commissioners Office have produced guidance that is available here.

More information coming soon. Please check this page for updates.

Please refer any queries to



Things to do now

Contact IMPS

Page navigation

See also

See the 'Top Ten Tips' for IT Security

Click here


Search Form

A-Z lists