At Glyndŵr University, we take data privacy seriously. We are committed to complying with data protection law and handling personal data correctly and appropriately.
We are continuously working to update our policies and processes to ensure that we have the appropriate framework to support individuals’ rights.
What do I need to know
Please think about how you manage personal information. For more information on personal information and the GDPR, please see our policies
https://www.glyndwr.ac.uk/en/InformationGovernance/Policies/ section or visit the website of the Information Commissioners office https://ico.org.uk/.
If you are a member of staff, you can access the internal information governance site (LINK) for help and support how GDPR impacts you and what you need to know (note: you will need to be logged in with your University account to access this). You also need to ensure that you have completed the GDPR e-learning.
Data Protection Legislation
The new General Data Protection Regulation (GDPR) and the Data Protection Act 2018, designed to protect individual personal data, became law on 25 May 2018. Data protection legislation sets out rules and standards for the use and handling ('processing') of information ('personal data') about living identifiable individuals ('data subjects') by organisations ('data controllers'). It is based around the notions of principles, rights and accountability obligations.
The harmonising and strengthening of data protection rules is a major part of the EU’s ambition to grow its digital economy, making better use of innovative services such as big data and cloud computing. Understandably, the UK also needs to be in a position to be part of this economic development.
The importance of this new legislation is signalled by the considerable increase in the maximum financial penalty, which can be levied for a breach, from £500,000 to around £17 million for public authorities or 4% turnover.
The changes brought about by the GDPR require us to be more conscientious about the way in which we process personal data, putting the rights of individuals at the heart of what we do, and being more transparent about how we use that data.
Data controllers processing personal data must follow - and be able to demonstrate that they are following - the data protection principles.
Under the GDPR, there are six principles. Personal data must be processed following these principles so that the data are:
- Processed fairly, lawfully and transparently - and only if there is a valid 'legal basis' for doing so.
- Processed only for specified, explicit and legitimate purposes.
- Adequate, relevant and limited.
- Accurate (and rectified if inaccurate).
- Not kept for longer than necessary.
- Processed securely - to preserve the confidentiality, integrity and availability of the personal data.
Personal Data Breaches
One of the most important accountability obligations concerns personal data breaches - that is, personal data held by the University is lost, stolen, inadvertently disclosed to an external party, or accidentally published. Some typical examples of a personal data breach are:
- Sending an email or letter containing personal data to the wrong recipient.
- Accidentally disclosing personal email addresses (e.g. by using cc instead of bcc).
- Inadvertently publishing University records containing personal data, or login credentials allowing access to them, on the internet.
- Losing an unsecured laptop or other personal device storing University records containing personal data.
- Having a University website, email account or drive hacked, with personal data stolen or 'locked down' by the hacker.
Personal data breaches may arise from IT security incidents, but not all IT security incidents are personal data breaches, and vice versa. Some types of personal data breach have to be reported to the ICO and the affected data subjects within short timeframes, so recognising and reporting them internally is crucial. The University has a dedicated data breach process for dealing with instances where there has been (or where there is suspicion that there might have been) a data breach.
All members of staff within the University have a duty to report any such instances without delay. Also, if any students or members of the public become aware of a data breach at the University then we would strongly advise you to report it to us so we can investigate and take action.
Details of how we handle personal data breaches, including how to report a breach can be found on the https://www.glyndwr.ac.uk/en/InformationGovernance/ReportaDataBreach/ page
Under GDPR all organisations which process personal data must inform individuals about that processing in a concise, transparent and intelligible manner. This needs to be written in clear and plain language and easily accessible.
The University has numerous privacy notices to inform data subjects about how we process their personal information. Links to these can be found on
Under the GDPR, data subjects are given various rights, which are free to exercise:
- The right to be informed of how their personal data are being used - this right is usually fulfilled by the provision of 'privacy notices' as described above.
- The right of access to their personal data - accessing personal data in this way is usually known as making a subject access request
- The right to have their inaccurate personal data rectified.
- The right to have their personal data erased where appropriate - also known as the right to be forgotten.
- The right to restrict the processing of their personal data pending its verification or correction.
- The right to receive copies of their personal data in a machine-readable and commonly-used format - known as the right to data portability.
- The right to object: to processing (including profiling) of their personal data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest.
- The right not to be subject to a significant decision based solely on automated decision-making using their personal data.
A response to a rights request normally needs to be sent within one month. However, nearly all of these rights are qualified in various ways and there are numerous specific exemptions both in the GDPR and in the DPA 2018 (for example, nearly all the rights may not apply if the personal data are being processed solely in an academic research context). These rights build upon and strengthen rights previously given to data subjects under the DPA 1998.
Data Protection and Brexit
Like all areas of law derived from the European Union, data protection legislation will be subject to changes following the UK's departure from the EU. This had been scheduled for 29 March 2019, and then either 12 April or 22 May 2019, but (unless cancelled altogether) this now looks likely to take place on 31 October 2019 at the latest. The specific changes will depend on the type of Brexit that occurs (in short, whether or not there is a deal with the EU at the point of withdrawal that covers data protection matters for a transitional period and possibly beyond).
Regardless of whether there is a deal or not, the key message is that all the substantive provisions of the GDPR (as supplemented by the DPA 2018) about principles, rights and accountability obligations will continue to apply in the UK following Brexit. Most of the changes will be technical ones to allow the GDPR to operate in a UK-only context without reference to EU institutions and bodies.
If the UK leaves the EU without a deal (or if that deal does not adequately cover data protection matters for a transitional period and possibly beyond), the main practical change for the University in the immediate term concerns transfers of personal data from organisations and businesses based within the European Economic Area (i.e. the EU countries plus Iceland, Liechtenstein and Norway) to the University. (Transfers of personal data from the University to organisations/businesses based in the EEA and beyond are not affected except in very limited circumstances.)
Find out about available GDPR related training.