IT Services | IT safety, security and data protection | General Data Protection Regulations (GDPR)

Document Actions

General Data Protection Regulations (GDPR)


On 25 May 2018 the EU General Data Protection Regulations (GDPR) will come into force. There will be various new measures for individuals and organisations that work with personal data. The new regulations are replacing the Data Protection Act (1998)

With the increased use of personal digital data, the introduction of the new regulations is a major legislative change designed to address the concerns around how data is used and to protect the rights of individuals.

The biggest change is that institutions will be held far more accountable for the data they hold. As well as records of what personal data exist within the organisation, the GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised and who may gain access to it.

The GDPR is intended to increase individuals’ awareness of their rights, so organisations handling personal data are facing higher expectations. 

Note: The GDPR are directly applicable in all EU member states and do not require local legislation to embed them.  However, the Government is bringing in a Data Protection Bill (DPB) which will apply in parallel with the GDPR. The new legislation is applicable to all organisations in the UK regardless of any outcome of Brexit.

The Information Commissioner's Office (ICO) provide guidance on GDPR in the UK.

Key characteristics

  • High fines for data breaches
  • Data Protection Officer
  • Individual rights
    • right to be informed (privacy statements)
    • right to be forgotten
    • right of access (subject access request remove £10 fee)
  • Lawful processing statements

What is Birkbeck's response?