1. An Introduction to the General Data Protection Regulation
Intro slide - If your presentation does not relate solely to student recruitment, please use this version

2. General Data Protection Regulation
Single set of rules for all EU nations
Supersedes the Data Protection Act 1998
Applies to international organisations that offer goods or services to or monitor EU citizens
Sits with newly passed UK Data Protection Act
Requires Data Protection by Design & Default and documented accountability

3. Think about it…
Are you familiar with the previous Data Protection Act 1998?
Do you know anything already about the GDPR?
What are your expectations from this training?

4. Data protection principles
1. Personal data shall be:
processed lawfully, fairly and in a transparent manner;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
processed in a manner that ensures appropriate security of the personal data.
2. The controller shall be responsible for and be able to demonstrate compliance with the above Accountability Principle

5. Think about it…
How might you demonstrate accountability with the principles?
What procedures does your team, Service, School, Institute, or College have in place to comply with any of the principles?

6. Personal data
Any information relating to a natural person who can be identified, directly or indirectly, by that information
Name
Identification number
Location data
Online identifier
Pseudonymised data
Factors specific to physical, physiological, genetic, mental, economic, cultural or social identity

7. Special categories of personal data
Personal data relating to:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic or biometric data processed for purpose of identification
health
sex life or sexual orientation

8. Think about it…
Can you identify the different types of personal data and special categories of personal data that you work with or store?
Include the data processed by your team, Service, School, Institute, or College

9. What is processing?
Any operation or set of operations performed on personal data or on sets of personal data
collection, recording, receipt
storage, backup, filing, retention
display, scanning, review
deletion, destruction
editing, updating, modification
copying, transmission, transfer, release
loss, mislaying, misdirection

10. SPECIAL CATEGORIES OF PD
When can you process personal data?
PERSONAL DATA
SPECIAL CATEGORIES OF PD
Consent
Explicit consent
Necessary for performance of
contract
Required to comply with employment,
social security, or social protection
legislation
Necessary for compliance with
legal obligation
Protect vital interests of individual
Protect vital interests of
individual
In connection with legal proceedings and
administration of justice
Necessary for performance of a
task in the public interest
Information already made public by data
subject
Necessary for the purposes of
legitimate interests
Necessary for medical reasons or public
interest in relation to public health
Necessary for archiving, scientific or historical
research, or statistical purposes
What are you telling students on your first interactions? What sort of agreement is presented to them, and what are they “signing” up for? Is it a contract for service? Is it legitimate interests?

11. Think about it…
Based on the personal data you previously identified, what are your legal bases for processing those different types of data?

12. Conditions for consent
Implied consent is unacceptable for processing
Demonstrable by a statement or clear affirmative action
Freely given, specific, informed, unambiguous
Consent must be obtained for every processing scenario
Consent can be withdrawn at any time

13. New and expanded rights
Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restriction
Right to data portability
Right to object
Right to prevent automated processing, including profiling
Talk about profiling, cos of work Planning does?
All Rights issues must be shared with any organisation we’ve shared with, e.g. rectifications must be relayed to HESA

14. New and expanded rights
Data subjects must be aware of their rights
Responses must be provided within one calendar month
Systems and procedures must be in place to adhere to rights
Documentation of adherence required
If a right is exercised, we must notify any third party we’ve shared the relevant data with

15. Think about it…
If someone exercised any one of their rights, how would you or your team go about providing a response?
Do you know how to find and access the data?
Can you erase it, correct it, or restrict it?

16. Privacy notices under GDPR
Presented to data subject whenever new processing is undertaken
Consider a layered approach to notification
Must explain:
personal data being processed,
purpose of processing,
intended retention,
subject rights,
source of data,
conditions of processing,
intended sharing or international transfer
existence of automated decision making, including profiling
Layered approach – just in time notices, Uni calendar, etc

17. Think about it…
University staff have a number of responsibilities that help the University to uphold and demonstrate compliance with the GDPR.
The next few slides detail how we can meet these responsibilities.

18. Your responsibilities: Data Protection by Design
Maintain documentation and implement measures to demonstrate compliance with principles
Internal audits, reviews, training
Document processing activities to ensure transparency
Employ data minimisation and pseudonymisation
Do you need the data?

19. Your responsibilities: Data Protection by Design
Data Protection Impact Assessments
Description of intended processing and purposes
Risk assessment and detail of risk avoidance measures
Required when:
using new technologies,
profiling,
surveilling,
processing of special categories of personal data
processing is likely to result in risk to rights and freedoms of individuals

20. Your responsibilities: data sharing agreements
Contract laying out multiple party commitments to personal data
Required for sharing personal data with processors or any other third parties outwith the University
Ensures compliance with GDPR Principles and international or third party transfer requirements
Ensures you are working with a GDPR compliant processor
Drafted by Contracts team within Finance

21. Your responsibilities: data security
Appropriate and secure storage for paper and electronic records
Encrypt data on laptops, tablets, memory sticks, etc.
Authorised access only, no password sharing
Double-check your correspondence addresses and attachments
Do not share information with 3rd parties without data sharing agreements
Destroy records appropriately and securely
Be aware of your cloud usage

22. Think about it…
How do you meet the requirements of these various responsibilities?
Do you know all of the personal data that you process? Can you conduct an information audit within your work area or with your team?
Are you embarking on any projects or purchasing any products that may require a DPIA?
Do you share data with any third parties, and if so, do you have appropriate agreements or contracts in place? How can you demonstrate and ensure appropriate data security?

23. All exemptions must be determined and exercised by DP & FOI Office.
Crime – we can share personal data in order to aid the prevention or detection of crime or the apprehension and prosecution of offenders
Any requests from law enforcement should be handled by DP Office
Research and statistics– if you’re using personal data for research or statistical purposes, you may be exempt from access, rectification, restriction and objection rights
Exam scripts – personal data recorded by candidates during an exam are not subject to right of access or privacy notice requirements
Confidential references – personal data in references created or given by GU are not subject to right of access or privacy notice requirements
All exemptions must be determined and exercised by DP & FOI Office.

24. Personal data breaches
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed
Breaches must be reported immediately to the DP & FOI
Office, and to the ICO within 72 hours
Sanctions vary depending on severity and extent of breach and organisation’s response
Max fines = €20 million or 4% of annual worldwide turnover
READ SLIDE
Common breaches include sending an to the wrong individuals or including addresses in the “TO:” line rather than the “BCC:”, sharing a spreadsheet with personal data on it, losing a mobile device (such as a memory stick or laptop). As we said, get in touch with our office asap in the event of any data breach. If you do accidentally send an to the wrong recipients, also get in touch with IT Services immediately – they may be able to recall the message before it is open and/or read.
We want to stress here the importance of urgency in breach responses. Responding promptly to a breach enables us to limit damage, to contain the breach and its impact, and it puts us in better stead with the Information Commissioner if they are notified or investigate. Additionally, the incoming General Data Protection Regulation mandates timescales for breach reporting – but you’ll hear more about that later in the presentation.
So, the bottom line to remember is that as soon you are made aware of a breach (or commit one yourself), notify our office and we will get the ball rolling.

26. Get in touch: https://www.gla.ac.uk/myglasgow/dpfoioffice/
Phone:
/glasgowuniversity
@UofGlasgow
@UofGlasgow
UofGlasgow
Search: University of Glasgow