What is GDPR?

On 25 May 2018, the new General Data Protection Regulations (GDPR) came into force.

GDPR and the new Data Protection Act 2018 (DPA 2018) replaced the old UK Data Protection Act 1998, and strengthened privacy rules and requirements around how information relating to individuals can be used.

GDPR also updates and unifies data protection law across Europe.

Why does the University collect personal data?

The University needs to collect and process personal data in order to provide necessary services to its students, manage its operations effectively, and meet certain legal requirements.

How does GDPR affect me?

We are required by law to process your personal data in accordance with GDPR and the DPA 2018, which have superseded the old Data Protection Act. This affects all UK organisations which handle and/or process data.

What is the University doing about it?

We have made changes to ensure that we are compliant with the new regulations. This includes writing a Privacy Notice which outlines what data we collect, who we share it with and for what purpose.

We have also updated our terms and conditions which continuing and new students will need to read and sign at registration.

What do I need to do now?

Please read our new privacy notice to find out how we will process your personal data under the General Data Protection Regulations (GDPR)

What if I have questions about GDPR?

We have included some FAQ below, however, if you have any other questions relating to GDPR, please contact the Data Protection Officer DPO@beds.ac.uk

What about Brexit?

GDPR is an EU Regulation; however Brexit has not affected the introduction of the regulation. The UK government has introduced the Data Protection Act 2018, which incorporates the requirements under GDPR.

How do you define Personal Data?

Personal data is any information relating to an identifiable individual.  It can identify the individual directly or indirectly (i.e. in combination with other information), so could include name, identification number, online identifier, location data, or other factors specific to the physical, genetic, mental, economic, cultural or social identity of the person.

How are GDPR and the DPA 2018 different from the old Data Protection Act?

The new data protection legislation introduces new requirements for organisations who handle personal data, including a need to be able to demonstrate compliance to a greater extent than previously.  It also establishes stronger rights for individuals designed to give them more control over how their personal data is used.  It strengthens the regulatory environment and introduces enhanced penalties for non-compliance.  It is intended to account for dramatic changes in the way that personal data is used, and the technological advances enabling this, that have occurred since the old Data Protection Act was introduced.

What are the GDPR principles?

GDPR contains seven key principles, or golden rules, which say that personal data must be:

• i) Processed lawfully, fairly and transparently.
• ii) Collected for specified and legitimate purposes and not further used for other purposes incompatible with these (however, this rule is amended where the further purpose involves research).
• iii) Adequate, relevant and limited to what is necessary.
• iv) Accurate and kept up to date.
• v) Only kept for as long as necessary for the purpose it was obtained for (however, this rule is amended where the data is being used for research).
• vi) Processed in a manner ensuring appropriate security.
• vii) The accountability principle is new, and requires us to take responsibility for what we do with personal data and how we comply with the other principles.

What does “Processing” of personal data mean?

It means any operation or set of operations that is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction