GDPR – Making sure you process personal data lawfully

Posted by rmt22 at Mar 22, 2018 03:37 PM |
Our latest update regarding GDPR and data protection sets out information on how to ensure you are lawfully processing personal data

Under the General Data Protection Regulation (GDPR) we can only process personal data if we have collected it based on an appropriate lawful basis. This lawful basis will vary depending on the type of data you hold and the reason why you hold and process that data. There will be six lawful basis for processing personal data. They are:

  • Consent – processing based on a clear affirmative action to agree to processing
  • Contract – processing necessary to comply with contractual obligations
  • Legal Obligation – processing necessary to comply with the law
  • Vital Interests – processing necessary to protect an individual’s vital interests (in matters or life and death)
  • Public Task - processing necessary to perform a specific task in the public interest that is set out in law
  • Legitimate interest – processing necessary where individuals would reasonably expect this to be the case (which will have a minimal privacy impact) or where there is a compelling justification for the processing

All services must now review the lawful basis on which they are processing personal data to ensure that it complies with GDPR. This can be done in the follow up to the Personal Data Audit conducted last years. This will begin in late March and the colleagues involved in GDPR will be in contact with managers and information asset owners shortly with advice on how to proceed.

All services collecting personal data must also explain and reflect in Privacy Notices, the lawful basis on which data is being collected and will be processed. For guidance on reviewing and drafting Privacy Notices please see here.

Services must identify a lawful basis before any data collection or processing begins. It is also important to note that changes cannot simply be made to the lawful basis after data processing has begun and if a change is made, it must be communicated to all the affected individuals. Please seek advice from IAS if you think you need to make a change to the lawful basis after data processing has begun.

A Quick Guide has been produced on lawful basis which can be accessed on our GDPR pages which includes the various basis which are available.

Further information

Everyone can play their part in preparing for the GDPR. Please read our guide on the simple things that everyone can start Doing to help prepare for GDPR on our GDPR pages.

Don’t forget to complete the University’s mandatory e-learning on information security which can be accessed via Blackboard here

GDPR Drop in surgeries are also being run on the following dates, please come along with a question about GDPR:

  • Tuesday 27 March 2-3pm
  • Tuesday 10 April 11am-12noon
  • Wednesday 25 April 11am-12noon
  • Thursday 10 May 11am-12noon
  • Friday 18 May 11am-12noon

(Please note these are short surgeries to ask questions not a formal training course)

Share this page: