Skip to main content

General Data Protection Regulations (GDPR)

On 25 May 2018, the EU General Data Protection Regulations (GDPR) came into force. GDPR replaces the Data Protection Act (1998) and ensures that individuals and organisations are held accountable for the personal data they collect, store and use.

We are committed to protecting the personal data of everybody who uses our website and we will comply with all key legislation in this area. 

Key points of GDPR  

  • The Information Commissioner's Office (ICO) defines personal data as 'any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier', which includes: 
    • names 
    • addresses
    • dates of birth
    • phone numbers 
    • email addresses
    • National Insurance numbers
    • photographs 
    • videos and voice recordings.
  • Organisations must keep records of what personal data they hold and document why it is held, how it is collected and used, when it will be deleted or anonymised, and who can access it. 
  • The regulations cover the personal data of all individuals, including students, staff, visitors, customers, alumni, donors and supporters, employers and governors. 
  • Users must opt in and give explicit permission for us to hold their data (rather than the present 'opt-out' approach). 
  • Data must be held securely - there will be high fines for data breaches. 
  • Individual rights will include:
    • the right to be informed (privacy statements will need to be expanded to explain the new responsibilities)
    • the right to be forgotten (data subjects can request that their data is deleted)
    • the right of access (subject access requests will have the £10 fee removed). 
  • Data must be shown to be processed lawfully, and privacy statements must explain how. 

Contracting with third parties

  • Birkbeck, like many other organisations, contracts with third parties and exchanges personal data with them for a variety of reasons. 
  • For the purposes of data protection legislation, these third parties are deemed to be either 'data processors' or 'data controllers'. Data processors (such as Microsoft or Google or Business World) act entirely under our instructions. Data controllers, such as partner institutions, make autonomous decisions about the use of the data they control.
  • You should not transfer data to any third party without first checking that there is an appropriate agreement in place between Birkbeck and the third party. Please .

Data breaches

Birkbeck's response to GDPR 

  • We are managing an ongoing project to ensure compliance, which is focusing on:
    • maintaining College-wide communications 
    • appointing a Data Protection Officer 
    • appointing an IT Security Manager 
    • auditing our data 
    • updating privacy statements.

Essential information for Birkbeck staff  

  • Any staff member who ask for personal information and records it somewhere - even if you don't act on it - is processing personal data and, hence, required to comply with the law. 
  • Ideally, you should not hold local records of personal information. If it is necessary, then you should use encryption and password protection (e.g. Word and Excel documents can be password protected). 
  • You should not use locally held/maintained email lists and, when emailing a list, don't put email addresses in the To or CC (carbon copy) fields - use BCC (blind carbon copy) instead (this hides individual email addresses from recipients). Read our advice on bulk emailing
  • You should not set up systems for collecting or storing personal information on behalf of the College, either in locally developed infrastructure or cloud-hosted online services (e.g. Survey Monkey, Google Forms, MailChimp, Doodle, Eventbrite, Type Form). Use Online Surveys or Microsoft Forms for surveys, and Outlook or Campaign Monitor in conjunction with interest mailing lists for bulk emails instead.
  • Regularly check for, and delete, files that contain personal information that is no longer required. 
  • You should protect your account details and stay vigilant against attacks, such as email phishing. This includes setting a strong password. 
  • If you are unsure about collecting, storing and using personal data, please  before acting. 

Further information