What is GDPR?
The General Data Protection Regulation 2016
The General Data Protection Regulation 2016 ("the GDPR") set out the protections afforded to personal data.
In addition to extending the protection for individuals in respect of the processing of their personal data, the GDPR also introduces more severe penalties for non-compliance by those handling your personal information.
Under the GDPR non-compliance could result in a fine of up to a maximum of €20 million, or 4% of annual turnover.
Whilst the terminology used in the GDPR is very similar to the Data Protection Act 1998 (“the DPA”) there are some notable differences. In particular, the GDPR has broadened the meaning of “consent” and “special categories of personal data” (sensitive personal data under the DPA) as follows:
“Consent” under the GDPR has to be a freely given, specific, informed and unambiguous indication of your wishes which you confirm by taking a positive step (such as ticking a box) to show your agreement to the processing of your personal information. This means that it is no longer valid for those collecting personal data to assume consent through inaction (such as not unticking a pre-ticked consent box) or by asking you to opt out. The GDPR also provides you must be able to withdraw your consent at any time.
“Special categories of personal data” refers to any personal information which reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and also includes the processing of genetic data and biometric data, for the purpose of identifying you, as well as information about your health or your sex life or sexual orientation.
Our obligations under the GDPR
For the purposes of the GDPR, the data controller will be the Coventry University Group entity which determines the purpose and means by which we process your personal data and are responsible for deciding how that data is handled.
The University has a Data Protection Officer (DPO). If you would like to contact the DPO please email email@example.com
Complete data controller entries for the entities which make up Coventry University Group can be found on the ICO’s register.
As a data controller, we are required to put in place appropriate technical and organisational measures to ensure that your personal data is being handled in accordance with the GDPR and have to be able to demonstrate that we have done this.
The GDPR sets out new principles for how we should handle personal data. Under the GDPR, we will need to be able to demonstrate that all personal data that we process is:
1. processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”).
The processing of personal data (other than special categories of personal data) will only be lawful if one of the following conditions are met:
- you have given your consent to the processing of your personal data for one or more specific purposes. To be valid, consent must be freely given, specific, informed and unambiguous – i.e. you must be able to understand what you are being asked to consent to and why, and must take a positive step to evidence your consent;
- processing is necessary for the performance of a contract between you and a member of the Coventry University Group;
- processing is necessary for compliance with a legal obligation which we are required to meet;
- processing is necessary in order to protect your life or the life of another person;
- processing is necessary for the performance of a task carried which we carry out in the public interest; or
- processing is necessary for the purposes of our legitimate interests or those of a third party save where our interests are overridden by your interests or fundamental rights and freedoms.
The processing of special categories of personal data will only be lawful under the GDPR if one of a series of strict conditions are met, including that:
- you have given your explicit consent to the processing of that information for one or more specified purposes (unless we are legally prohibited from processing that particular piece of information);
- processing is necessary to protect your life or that of another person where you are physically or legally incapable of giving consent.
Where we can demonstrate that consent has already been freely given as required by the GDPR, we will not need to ask again. However, we will seek consent again where this cannot be demonstrated and you may therefore receive a further request from us to consent to the processing of your personal data going forward.
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (“purpose limitation”).
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”).
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”).
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (“storage limitation”).
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
In ensuring the security of your personal data, we (and any party which processes personal data on our behalf) are required to put in place appropriate technical and organisation measures to ensure the security of your information. The measures we need to take are those which are appropriate to the risk posed to your personal data by our handling of it. In deciding what measures we need to put in place we look at current developments in products and procedures as well as, the costs of implementation and the nature, scope, context and purposes for which we are handling your personal data. We also need to consider the potential risks to your rights and freedoms. The measures which we may take include pseudonymisation and/or encryption of your personal data, and may include a process for regularly testing, assessing and evaluating the measures which we have put in place.
Where we are using new technology to process your personal information or starting a new project which could have an impact on your privacy and we think there is potentially a high risk to your rights and freedoms, before we start processing your personal data, we will carry out a Data Protection Impact Assessment (DPIA) of the impact which this will have on the protection of your personal data.